Entity group behavior profiling

US 10,212,176 B2
Filed: 06/18/2015
Issued: 02/19/2019
Est. Priority Date: 06/23/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

creating, by a multi-tier security framework, an entity group that includes a plurality of entities, wherein each one of the plurality of entities represents one of a user, a machine, or a service;

creating, by the multi-tier security framework, a behavior profile for each one of the plurality of entities of the entity group, wherein each behavior profile includes one or more features;

monitoring behavior of each one of the plurality of entities of the entity group by the multi-tier security framework to detect behavior change;

detecting, by a local data engine, an indicator of compromise based on each of the plurality of entities experiencing substantially a same behavior change, the indicator of compromise identifying that a potential threat is directed toward a network including the plurality of entities;

responsive to detecting the indicator of compromise based on each of the plurality of entities experiencing substantially the same behavior change, analyzing the substantially same behavior change of each of the plurality of entities to identify a portion of data related to processing of each of the plurality of entities, the processing occurring at a time prior to the detecting of the indicator of compromise; and

transmitting the indicator of compromise and the identified portion of data to a central computer for further analysis and modeling.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Entity group behavior profiling. An entity group is created that includes multiple entities, where each entity represents one of a user, a machine, and a service. A behavior profile is created for each one of the entities of the entity group. The behavior of each of one of the entities of the entity group is monitored to detect behavior change. An indicator of compromise is detected based on multiple ones of the entities experiencing substantially a same behavior change.

39 Citations

View as Search Results

26 Claims

1. A method, comprising:
- creating, by a multi-tier security framework, an entity group that includes a plurality of entities, wherein each one of the plurality of entities represents one of a user, a machine, or a service;
  
  creating, by the multi-tier security framework, a behavior profile for each one of the plurality of entities of the entity group, wherein each behavior profile includes one or more features;
  
  monitoring behavior of each one of the plurality of entities of the entity group by the multi-tier security framework to detect behavior change;
  
  detecting, by a local data engine, an indicator of compromise based on each of the plurality of entities experiencing substantially a same behavior change, the indicator of compromise identifying that a potential threat is directed toward a network including the plurality of entities;
  
  responsive to detecting the indicator of compromise based on each of the plurality of entities experiencing substantially the same behavior change, analyzing the substantially same behavior change of each of the plurality of entities to identify a portion of data related to processing of each of the plurality of entities, the processing occurring at a time prior to the detecting of the indicator of compromise; and
  
  transmitting the indicator of compromise and the identified portion of data to a central computer for further analysis and modeling.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein creating the entity group is performed responsive to receiving input from a user that specifies the plurality of entities belonging to the entity group.
  - 3. The method of claim 1, wherein creating the entity group is automatically performed and populated with the plurality of entities based on a set of one or more attributes common to those plurality of entities.
  - 4. The method of claim 1, wherein creating the entity group is automatically performed and populated with the plurality of entities based on those plurality of entities previously showing similar behavior.
  - 5. The method of claim 1, wherein the created behavior profile for each one of the plurality of entities of the entity group includes a set of one or more features that are used to distinguish behavior between the plurality of entities.
  - 6. The method of claim 1, wherein the created behavior profile for each one of the plurality of entities of the entity group includes a set of one or more features that are used to distinguish behavior of the created entity group as compared to behavior of a different entity group.
  - 7. The method of claim 6, wherein the set of features are extracted or derived from metadata and other items of interest including one or more of:
    - network packets propagating to/from devices, log information, and flow based connection records.
  - 8. The method of claim 1,wherein the indicator of compromise includes a distance measure determined for each feature of a first behavior profile, combining the distance measure for each feature into a combined distance, and determining that the combined distance exceeds a predefined compromise threshold, andwherein identifying the amount of data related to occurrences of the substantially same behavior change occurring during a previous time period is the amount of data that occurred after a trigger threshold, the trigger threshold being less than the predefined compromise threshold.
  - 9. The method of claim 1, wherein the multi-tier security framework includes (i) at least one network sensor engine configured to collect and store information associated with one or more of the plurality of entities, and (ii) a data analysis engine configured to perform analytics on the information associated with one or more of the plurality of entities.
  - 10. The method of claim 1, further comprising:
    - generating, by the multi-tier security framework, a user behavior risk score for each of the plurality of entities.

11. A non-transitory machine-readable storage medium that provides instructions that, if executed by a processor, will cause said processor to perform operations comprising:
- creating an entity group that includes a plurality of entities, wherein each one of the plurality of entities represents one of a user, a machine, or a service;
  
  creating a behavior profile for each one of the plurality of entities of the entity group;
  
  monitoring behavior of each one of the plurality of entities of the entity group to detect behavior change;
  
  detecting an indicator of compromise based on each of the plurality of entities experiencing substantially a same behavior change, the indicator of compromise identifying that a potential threat is directed toward a network including the plurality of entities;
  
  responsive to detecting the indicator of compromise based on each of the plurality of entities experiencing substantially the same behavior change, analyzing the substantially same behavior change of each of the plurality of entities to identify a portion of data related to processing of each of the plurality of entities, the processing occurring at a time prior to the detecting of the indicator of compromise; and
  
  transmitting the indicator of compromise and the identified portion of data to a central computer for further analysis and modeling.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The non-transitory machine-readable storage medium of claim 11, wherein creating the entity group is performed responsive to receiving input from a user that specifies the plurality of entities belonging to the entity group.
  - 13. The non-transitory machine-readable storage medium of claim 11, wherein creating the entity group is automatically performed and populated with the plurality of entities based on a set of one or more attributes common to those plurality of entities.
  - 14. The non-transitory machine-readable storage medium of claim 11, wherein creating the entity group is automatically performed and populated with the plurality of entities based on those plurality of entities previously showing similar behavior.
  - 15. The non-transitory machine-readable storage medium of claim 11, wherein the created behavior profile for each one of the plurality of entities of the entity group includes a set of one or more features that are used to distinguish behavior between the plurality of entities.
  - 16. The non-transitory machine-readable storage medium of claim 11, wherein the created behavior profile for each one of the plurality of entities of the entity group includes a set of one or more features that are used to distinguish behavior of the created entity group as compared to behavior of a different entity group.
  - 17. The non-transitory machine-readable storage medium of claim 16, wherein the set of features are extracted or derived from metadata and other items of interest including one or more of:
    - network packets propagating to/from devices, log information, and flow based connection records.
  - 18. The non-transitory machine-readable storage medium of claim 11,wherein detecting an indicator of compromise includes determining a distance measure determined for each feature of a first behavior profile, combining the distance measure for each feature into a combined distance, and determining that the combined distance exceeds a predefined compromise threshold, andwherein identifying the amount of data related to occurrences of the substantially same behavior change occurring during a previous time period is the amount of data that occurred after a trigger threshold, the trigger threshold being less than the predefined compromise threshold.

19. An apparatus for collaborative and adaptive threat intelligence, comprising:
- a processor; and
  
  a non-transitory machine-readable storage medium containing instructions, that when executed by said processor, cause said apparatus to;
  
  create an entity group that includes a plurality of entities, wherein each one of the plurality of entities represents one of a user, a machine, or a service;
  
  create a behavior profile for each one of the plurality of entities of the entity group;
  
  monitor behavior of each one of the plurality of entities of the entity group to detect behavior change;
  
  detect an indicator of compromise based on each of the plurality of entities experiencing substantially a same behavior change, the indicator of compromise identifying that a potential threat is directed toward a network including the plurality of entities;
  
  responsive to detecting the indicator of compromise based on each of the plurality of entities experiencing substantially the same behavior change, analyzing the substantially same behavior change of each of the plurality of entities to identify a portion of data related to processing of each of the plurality of entities, the processing occurring at a time prior to the detecting of the indicator of compromise; and
  
  transmitting the indicator of compromise and the identified portion of data to a central computer for further analysis and modeling.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The non-transitory machine-readable storage medium of claim 19, wherein creation of the entity group is performed responsive to receiving input from a user that specifies the plurality of entities belonging to the entity group.
  - 21. The non-transitory machine-readable storage medium of claim 19, wherein creation of the entity group is automatically performed and populated with the plurality of entities based on a set of one or more attributes common to those plurality of entities.
  - 22. The non-transitory machine-readable storage medium of claim 19, wherein creation of the entity group is automatically performed and populated with the plurality of entities based on those plurality of entities previously showing similar behavior.
  - 23. The non-transitory machine-readable storage medium of claim 19, wherein once created, the behavior profile for each one of the plurality of entities of the entity group includes a set of one or more features that are used to distinguish behavior between the plurality of entities.
  - 24. The non-transitory machine-readable storage medium of claim 19, wherein once crated, the behavior profile for each one of the plurality of entities of the entity group includes a set of one or more features that are used to distinguish behavior of the created entity group as compared to behavior of a different entity group.
  - 25. The non-transitory machine-readable storage medium of claim 24, wherein the set of features are extracted or derived from metadata and other items of interest including one or more of:
    - network packets propagating to/from devices, log information, and flow based connection records.
  - 26. The apparatus of claim 19,wherein detecting the indicator of compromise includes determining a distance measure determined for each feature of a first behavior profile, combining the distance measure for each feature into a combined distance, and determining that the combined distance exceeds a predefined compromise threshold, andwherein identifying the amount of data related to occurrences of the substantially same behavior change occurring during a previous time period is the amount of data that occurred after a trigger threshold, the trigger threshold being less than the predefined compromise threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Wang, Jisheng
Primary Examiner(s)
Powers, William S

Application Number

US14/743,861
Publication Number

US 20150373039A1
Time in Patent Office

1,342 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04W 4/38 for collecting sensor infor...

Entity group behavior profiling

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Entity group behavior profiling

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links