Detecting security threats in a local network
First Claim
1. A method comprising:
- receiving, at a security analytics system, raw data describing behavior of a plurality of entities within a local network, the plurality of entities comprising at least one user and at least one device;
identifying each entity of the plurality of entities based on the raw data;
determining, for each entity of the plurality of entities in the local network, a set of entity properties based on the received raw data, the raw data comprising data logged by devices in the local network;
determining entity relationships between the plurality of entities in the local network based on the determined entity properties, each entity relationship of the determined entity relationships comprising a timeframe during which the relationship existed;
generating an entity graph describing the entity relationships, wherein nodes of the entity graph represent respective entities within the local network and edges in the graph represent relationships between the entities, and wherein each edge is associated with the respective timeframe of the relationship;
using the relationships represented by the entity graph to generate one or more threat scores for an entity over one or more relationship timeframes, wherein the threat score indicates a likelihood that the entity in the local network is exhibiting malicious behavior; and
in response to determining that a particular threat score for the entity for a particular timeframe exceeds a first threshold, restricting access by the entity to data of the local network.
3 Assignments
0 Petitions
Accused Products
Abstract
Disclosed is a system for detecting security threats in a local network. A security analytics system collects data about entities in the local network. The security analytics system identifies the entities in the raw data and determines a set of properties about each of the identified entities. The entity properties contain information about the entity and can be temporary or permanent properties about the entity. The security analytics system determines relationships between the identified entities and can be determined based on the entity properties for the identified properties. An entity graph is generated that describes the entity relationships, wherein the nodes of the entity graph represent entities and the edges of the entity graph represent entity relationships. The security analytics system provides a user interface to a user that contains the entity graph and the relationships described therein.
77 Citations
20 Claims
-
1. A method comprising:
-
receiving, at a security analytics system, raw data describing behavior of a plurality of entities within a local network, the plurality of entities comprising at least one user and at least one device; identifying each entity of the plurality of entities based on the raw data; determining, for each entity of the plurality of entities in the local network, a set of entity properties based on the received raw data, the raw data comprising data logged by devices in the local network; determining entity relationships between the plurality of entities in the local network based on the determined entity properties, each entity relationship of the determined entity relationships comprising a timeframe during which the relationship existed; generating an entity graph describing the entity relationships, wherein nodes of the entity graph represent respective entities within the local network and edges in the graph represent relationships between the entities, and wherein each edge is associated with the respective timeframe of the relationship; using the relationships represented by the entity graph to generate one or more threat scores for an entity over one or more relationship timeframes, wherein the threat score indicates a likelihood that the entity in the local network is exhibiting malicious behavior; and in response to determining that a particular threat score for the entity for a particular timeframe exceeds a first threshold, restricting access by the entity to data of the local network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer program product comprising a non-transitory computer-readable storage medium configured to store executable computer code that, when executed by a processor, causes the processor to perform the steps of:
-
receiving, at a security analytics system, raw data describing behavior of a plurality of entities within a local network, the plurality of entities comprising at least one user and at least one device; identifying each entity of the plurality of entities based on the raw data; determining, for each entity of the plurality of entities in the local network, a set of entity properties based on the received raw data, the raw data comprising data logged by devices in the local network; determining entity relationships between the plurality of entities in the local network based on the determined entity properties, each entity relationship of the determined entity relationships comprising a timeframe during which the relationship existed; generating an entity graph describing the entity relationships, wherein nodes of the entity graph represent respective entities within the local network and edges in the graph represent relationships between the entities, and wherein each edge is associated with the respective timeframe of the relationship; using the relationships represented by the entity graph to generate one or more threat scores for an entity over one or more relationship timeframes, wherein the threat score indicates a likelihood that the entity in the local network is exhibiting malicious behavior; and in response to determining that a particular threat score for the entity for a particular timeframe exceeds a first threshold, restricting access by the entity to data of the local network. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A system comprising one or more computing devices having one or more processors and one or more computer-readable storage media storing executable computer code, that when executed causes the one or more processors to perform the steps of:
-
receiving, at a security analytics system, raw data describing behavior of a plurality of entities within a local network, the plurality of entities comprising at least one user and at least one device; identifying each entity of the plurality of entities based on the raw data; determining, for each entity of the plurality of entities in the local network, a set of entity properties based on the received raw data, the raw data comprising data logged by devices in the local network; determining entity relationships between the plurality of entities in the local network based on the determined entity properties, each entity relationship of the determined entity relationships comprising a timeframe during which the relationship existed; generating an entity graph describing the entity relationships, wherein nodes of the entity graph represent respective entities within the local network and edges in the graph represent relationships between the entities, and wherein each edge is associated with the respective timeframe of the relationship; using the relationships represented by the entity graph to generate one or more threat scores for an entity over one or more relationship timeframes, wherein the threat score indicates a likelihood that the entity in the local network is exhibiting malicious behavior; and in response to determining that a particular threat score for the entity for a particular timeframe exceeds a first threshold, restricting access by the entity to data of the local network.
-
Specification