Detecting security threats in a local network

US 10,305,922 B2
Filed: 10/21/2016
Issued: 05/28/2019
Est. Priority Date: 10/21/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a security analytics system, raw data describing behavior of a plurality of entities within a local network, the plurality of entities comprising at least one user and at least one device;

identifying each entity of the plurality of entities based on the raw data;

determining, for each entity of the plurality of entities in the local network, a set of entity properties based on the received raw data, the raw data comprising data logged by devices in the local network;

determining entity relationships between the plurality of entities in the local network based on the determined entity properties, each entity relationship of the determined entity relationships comprising a timeframe during which the relationship existed;

generating an entity graph describing the entity relationships, wherein nodes of the entity graph represent respective entities within the local network and edges in the graph represent relationships between the entities, and wherein each edge is associated with the respective timeframe of the relationship;

using the relationships represented by the entity graph to generate one or more threat scores for an entity over one or more relationship timeframes, wherein the threat score indicates a likelihood that the entity in the local network is exhibiting malicious behavior; and

in response to determining that a particular threat score for the entity for a particular timeframe exceeds a first threshold, restricting access by the entity to data of the local network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a system for detecting security threats in a local network. A security analytics system collects data about entities in the local network. The security analytics system identifies the entities in the raw data and determines a set of properties about each of the identified entities. The entity properties contain information about the entity and can be temporary or permanent properties about the entity. The security analytics system determines relationships between the identified entities and can be determined based on the entity properties for the identified properties. An entity graph is generated that describes the entity relationships, wherein the nodes of the entity graph represent entities and the edges of the entity graph represent entity relationships. The security analytics system provides a user interface to a user that contains the entity graph and the relationships described therein.

77 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving, at a security analytics system, raw data describing behavior of a plurality of entities within a local network, the plurality of entities comprising at least one user and at least one device;
  
  identifying each entity of the plurality of entities based on the raw data;
  
  determining, for each entity of the plurality of entities in the local network, a set of entity properties based on the received raw data, the raw data comprising data logged by devices in the local network;
  
  determining entity relationships between the plurality of entities in the local network based on the determined entity properties, each entity relationship of the determined entity relationships comprising a timeframe during which the relationship existed;
  
  generating an entity graph describing the entity relationships, wherein nodes of the entity graph represent respective entities within the local network and edges in the graph represent relationships between the entities, and wherein each edge is associated with the respective timeframe of the relationship;
  
  using the relationships represented by the entity graph to generate one or more threat scores for an entity over one or more relationship timeframes, wherein the threat score indicates a likelihood that the entity in the local network is exhibiting malicious behavior; and
  
  in response to determining that a particular threat score for the entity for a particular timeframe exceeds a first threshold, restricting access by the entity to data of the local network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - in response to determining that the threat score for the entity exceeds a second threshold,providing an indication of the detected entity to a user of the security analytics system.
  - 3. The method of claim 1, wherein the sets of entity properties comprises permanent entity properties and temporary entity properties, the temporary entity properties being associated with a timestamp.
  - 4. The method of claim 3, further comprising:
    - determining, for each determined entity relationship, the timeframe based on at least one timestamp of a temporary entity property in the set of entity properties associated with an entity associated with the entity relationship.
  - 5. The method of claim 1, wherein each entity relationship comprises a relationship type.
  - 6. The method of claim 5, wherein at least one entity relationship of the determined entity relationships comprises an ownership relationship type.
  - 7. The method of claim 5, wherein at least one entity relationship of the determined entity relationships comprises a membership relationship type.
  - 8. The method of claim 5, wherein at least one entity relationship of the determined entity relationships comprises a co-residence relationship type.
  - 9. The method of claim 1, wherein determining entity relationships between the plurality of entities in the local network further comprises:
    - identifying a first entity in the plurality of entities, the first entity being associated with a first set of entity properties;
      
      identifying a second entity in the plurality of entities different from the first entity, the second entity being associated with a first set of entity properties; and
      
      establishing an entity relationship between the first entity and the second entity based on the first set of entity properties, the second set of entity properties, and the raw data.
  - 10. The method of claim 9, wherein the entity relationship is established responsive to the first set of entity properties containing at least one entity property that is also contained by the second set of entity properties.
  - 11. The method of claim 10, wherein the at least one entity property contained by the first set of entity properties and the second set of entity properties is in a set of particular entity properties for establishing entity relationships.

12. A computer program product comprising a non-transitory computer-readable storage medium configured to store executable computer code that, when executed by a processor, causes the processor to perform the steps of:
- receiving, at a security analytics system, raw data describing behavior of a plurality of entities within a local network, the plurality of entities comprising at least one user and at least one device;
  
  identifying each entity of the plurality of entities based on the raw data;
  
  determining, for each entity of the plurality of entities in the local network, a set of entity properties based on the received raw data, the raw data comprising data logged by devices in the local network;
  
  determining entity relationships between the plurality of entities in the local network based on the determined entity properties, each entity relationship of the determined entity relationships comprising a timeframe during which the relationship existed;
  
  generating an entity graph describing the entity relationships, wherein nodes of the entity graph represent respective entities within the local network and edges in the graph represent relationships between the entities, and wherein each edge is associated with the respective timeframe of the relationship;
  
  using the relationships represented by the entity graph to generate one or more threat scores for an entity over one or more relationship timeframes, wherein the threat score indicates a likelihood that the entity in the local network is exhibiting malicious behavior; and
  
  in response to determining that a particular threat score for the entity for a particular timeframe exceeds a first threshold, restricting access by the entity to data of the local network.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The computer program product of claim 12, wherein the steps executed by the processor further comprise:
    - in response to determining that the threat score for the entity exceeds a second threshold, generating a set of features of the raw data based on the raw data and the entity graph;
      
      providing an indication of the detected entity to a user of the security analytics system.
  - 14. The computer program product of claim 12, wherein the sets of entity properties comprises permanent entity properties and temporary entity properties, the temporary entity properties being associated with a timestamp.
  - 15. The computer program product of claim 14, wherein the steps executed by the processor further comprise:
    - determining, for each determined entity relationship, the timeframe based on at least one timestamp of a temporary entity property in the set of entity properties associated with an entity associated with the entity relationship.
  - 16. The computer program product of claim 12, wherein each entity relationship comprises a relationship type from the set comprising:
    - an ownership relationship type, a membership relationship type, and a co-residence relationship type.
  - 17. The computer program product of claim 12, wherein the step of determining entity relationships between the plurality of entities in the local network further comprises:
    - identifying a first entity in the plurality of entities, the first entity being associated with a first set of entity properties;
      
      identifying a second entity in the plurality of entities different from the first entity, the second entity being associated with a first set of entity properties; and
      
      establishing an entity relationship between the first entity and the second entity based on the first set of entity properties, the second set of entity properties, and the raw data.
  - 18. The computer program product of claim 17, wherein the entity relationship is established responsive to the first set of entity properties containing at least one entity property that is also contained by the second set of entity properties.
  - 19. The computer program product of claim 18, wherein the at least one entity property contained by the first set of entity properties and the second set of entity properties is in a set of particular entity properties for establishing entity relationships.

20. A system comprising one or more computing devices having one or more processors and one or more computer-readable storage media storing executable computer code, that when executed causes the one or more processors to perform the steps of:
- receiving, at a security analytics system, raw data describing behavior of a plurality of entities within a local network, the plurality of entities comprising at least one user and at least one device;
  
  identifying each entity of the plurality of entities based on the raw data;
  
  determining, for each entity of the plurality of entities in the local network, a set of entity properties based on the received raw data, the raw data comprising data logged by devices in the local network;
  
  determining entity relationships between the plurality of entities in the local network based on the determined entity properties, each entity relationship of the determined entity relationships comprising a timeframe during which the relationship existed;
  
  generating an entity graph describing the entity relationships, wherein nodes of the entity graph represent respective entities within the local network and edges in the graph represent relationships between the entities, and wherein each edge is associated with the respective timeframe of the relationship;
  
  using the relationships represented by the entity graph to generate one or more threat scores for an entity over one or more relationship timeframes, wherein the threat score indicates a likelihood that the entity in the local network is exhibiting malicious behavior; and
  
  in response to determining that a particular threat score for the entity for a particular timeframe exceeds a first threshold, restricting access by the entity to data of the local network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Devi Reddy, Ravi Kumar, Doddi, Srinivas Rao, Kutare, Mahendra Kumar, Briguet, Christophe
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US15/331,654
Publication Number

US 20170118240A1
Time in Patent Office

949 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 16/904   Browsing; Visualisation the...

G06N 20/00   Machine learning

G06N 5/02   Knowledge representation; S...

G06N 7/01   Probabilistic graphical mod...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Detecting security threats in a local network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

77 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting security threats in a local network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links