Entity group behavior profiling
First Claim
Patent Images
1. A method, comprising:
- creating, by a multi-tier security framework, an entity group that includes a plurality of entities, wherein each one of the plurality of entities represents one of a user, a machine, or a service;
creating, by the multi-tier security framework, a behavior profile for each one of the plurality of entities of the entity group, wherein each behavior profile includes one or more features;
monitoring behavior of each one of the plurality of entities of the entity group by the multi-tier security framework to detect behavior change;
detecting, by a local data engine, an indicator of compromise based on each of the plurality of entities experiencing substantially a same behavior change, the indicator of compromise identifying that a potential threat is directed toward a network including the plurality of entities;
responsive to detecting the indicator of compromise based on each of the plurality of entities experiencing substantially the same behavior change, analyzing the substantially same behavior change of each of the plurality of entities to identify a portion of data related to processing of each of the plurality of entities, the processing occurring at a time prior to the detecting of the indicator of compromise; and
transmitting the indicator of compromise and the identified portion of data to a central computer for further analysis and modeling.
3 Assignments
0 Petitions
Accused Products
Abstract
Entity group behavior profiling. An entity group is created that includes multiple entities, where each entity represents one of a user, a machine, and a service. A behavior profile is created for each one of the entities of the entity group. The behavior of each of one of the entities of the entity group is monitored to detect behavior change. An indicator of compromise is detected based on multiple ones of the entities experiencing substantially a same behavior change.
39 Citations
26 Claims
-
1. A method, comprising:
-
creating, by a multi-tier security framework, an entity group that includes a plurality of entities, wherein each one of the plurality of entities represents one of a user, a machine, or a service; creating, by the multi-tier security framework, a behavior profile for each one of the plurality of entities of the entity group, wherein each behavior profile includes one or more features; monitoring behavior of each one of the plurality of entities of the entity group by the multi-tier security framework to detect behavior change; detecting, by a local data engine, an indicator of compromise based on each of the plurality of entities experiencing substantially a same behavior change, the indicator of compromise identifying that a potential threat is directed toward a network including the plurality of entities; responsive to detecting the indicator of compromise based on each of the plurality of entities experiencing substantially the same behavior change, analyzing the substantially same behavior change of each of the plurality of entities to identify a portion of data related to processing of each of the plurality of entities, the processing occurring at a time prior to the detecting of the indicator of compromise; and transmitting the indicator of compromise and the identified portion of data to a central computer for further analysis and modeling. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A non-transitory machine-readable storage medium that provides instructions that, if executed by a processor, will cause said processor to perform operations comprising:
-
creating an entity group that includes a plurality of entities, wherein each one of the plurality of entities represents one of a user, a machine, or a service; creating a behavior profile for each one of the plurality of entities of the entity group; monitoring behavior of each one of the plurality of entities of the entity group to detect behavior change; detecting an indicator of compromise based on each of the plurality of entities experiencing substantially a same behavior change, the indicator of compromise identifying that a potential threat is directed toward a network including the plurality of entities; responsive to detecting the indicator of compromise based on each of the plurality of entities experiencing substantially the same behavior change, analyzing the substantially same behavior change of each of the plurality of entities to identify a portion of data related to processing of each of the plurality of entities, the processing occurring at a time prior to the detecting of the indicator of compromise; and transmitting the indicator of compromise and the identified portion of data to a central computer for further analysis and modeling. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. An apparatus for collaborative and adaptive threat intelligence, comprising:
-
a processor; and a non-transitory machine-readable storage medium containing instructions, that when executed by said processor, cause said apparatus to; create an entity group that includes a plurality of entities, wherein each one of the plurality of entities represents one of a user, a machine, or a service; create a behavior profile for each one of the plurality of entities of the entity group; monitor behavior of each one of the plurality of entities of the entity group to detect behavior change; detect an indicator of compromise based on each of the plurality of entities experiencing substantially a same behavior change, the indicator of compromise identifying that a potential threat is directed toward a network including the plurality of entities; responsive to detecting the indicator of compromise based on each of the plurality of entities experiencing substantially the same behavior change, analyzing the substantially same behavior change of each of the plurality of entities to identify a portion of data related to processing of each of the plurality of entities, the processing occurring at a time prior to the detecting of the indicator of compromise; and transmitting the indicator of compromise and the identified portion of data to a central computer for further analysis and modeling. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
-
Specification