Modeling behavior in a network using event logs

US 10,375,095 B1
Filed: 11/18/2016
Issued: 08/06/2019
Est. Priority Date: 11/20/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

independently considering a time series of events generated by a plurality of user credentials, by a monitoring computing system, the time series of events comprising log events for each user credential, the log events comprising a client computing system, a server computing system, and an event type;

fitting Bayesian models to the time series of events, by the monitoring computing system, for each of the plurality of user credentials;

determining, by the monitoring computing system, p-values for the client computing system, the server computing system, and the event type for each of the plurality of user credentials based on the respective fitted Bayesian model;

combining the determined p-values, by the monitoring computing system, to obtain a full posterior predictive p-value or an overall p-value;

checking, by the computing system, whether an event generated for a given user credential is anomalous with respect to the respective full posterior predictive p-value or overall p-value for that given user credential; and

when the event for the given user credential is anomalous based on the full posterior predictive p-value or overall p-value, flagging the given user credential as associated with anomalous behavior, by the monitoring computing system.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A framework is provided for modeling the activity surrounding user credentials and/or machine level activity on a computer network using computer event logs by viewing the logs attributed to each user as a multivariate data stream. The methodology performs well in detecting compromised user credentials at a very low false positive rate. Such a methodology may detect both users of compromised credentials by external actors and otherwise authorized users who have begun engaging in malicious activity.

Citations

20 Claims

1. A computer-implemented method, comprising:
- independently considering a time series of events generated by a plurality of user credentials, by a monitoring computing system, the time series of events comprising log events for each user credential, the log events comprising a client computing system, a server computing system, and an event type;
  
  fitting Bayesian models to the time series of events, by the monitoring computing system, for each of the plurality of user credentials;
  
  determining, by the monitoring computing system, p-values for the client computing system, the server computing system, and the event type for each of the plurality of user credentials based on the respective fitted Bayesian model;
  
  combining the determined p-values, by the monitoring computing system, to obtain a full posterior predictive p-value or an overall p-value;
  
  checking, by the computing system, whether an event generated for a given user credential is anomalous with respect to the respective full posterior predictive p-value or overall p-value for that given user credential; and
  
  when the event for the given user credential is anomalous based on the full posterior predictive p-value or overall p-value, flagging the given user credential as associated with anomalous behavior, by the monitoring computing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, further comprising:
    - when the given user credential is not anomalous, updating the fitted Bayesian model for that credential, by the monitoring computing system.
  - 3. The computer-implemented method of claim 1, wherein event types comprise ticket granting ticket requests, service ticket requests, network logons, process starts, interactive logons, remote interactive sessions, remote desktop sessions, credential mapping, service startups, or any combination thereof.
  - 4. The computer-implemented method of claim 1, further comprising:
    - removing, by the monitoring computing system, duplicate log events, where a time stamp, user credential, client computing system, server computing system, and event type are all identical to a previous event log.
  - 5. The computer-implemented method of claim 1, wherein the client computing system, the server computing system, and the event type are modeled by multinomial distributions with conjugate Dirichlet distribution priors.
  - 6. The computer-implemented method of claim 1, wherein the time series of events for each user credential is modeled as a Markov Chain with a time-varying state space and a transition probability matrix.
  - 7. The computer-implemented method of claim 1, wherein the checking of whether the event is anomalous further comprises:
    - using a control chart, by the monitoring computing system, to accumulate evidence of anomalous behavior over time.
  - 8. The computer-implemented method of claim 1, wherein the checking of whether the event is anomalous further comprises:
    - applying an alarm threshold, by the monitoring computing system, to control a false alarm rate.
  - 9. The computer-implemented method of claim 1, further comprising:
    - independently considering, by the monitoring computing system, a time series of machine level events generated by a plurality of monitored computing systems in a network;
      
      fitting Bayesian models to the time series of events, by the monitoring computing system, for each of the plurality of monitored computing systems in the network;
      
      checking, by the monitoring computing system, whether a machine level event generated for a given monitored computing system is anomalous with respect to the fitted Bayesian model; and
      
      when the machine level event is anomalous, flagging the monitored computing system associated with the anomalous event as exhibiting anomalous behavior, by the monitoring computing system.
  - 10. The computer-implemented method of claim 1, wherein for a client-server-event type triple (x, y, e) for the client computing system x, the server computing system y, and the event e observed at a time t, the full posterior predictive p-value is given by:
  - 11. The computer-implemented method of claim 1, wherein for a client-server-event type triple (x, y, e) for the client computing system x, the server computing system y, and the event e observed at a time t, the overall p-value is derived by combining conditional distributions p_x,t, p_y|x,tand p_e|xy,tfor the client computing system, the server computing system, and the event, respectively, the conditional distributions given by:

12. A computer-implemented method, comprising:
- independently considering, by a monitoring computing system, a time series of machine level events generated by a plurality of monitored computing systems in a network, the time series of machine level events comprising log events for the plurality of monitored computing systems in the network, the log events comprising a client computing system, a server computing system, and an event type;
  
  fitting Bayesian models to the time series of events, by the monitoring computing system, for each of the plurality of monitored computing systems in the network;
  
  determining, by the monitoring computing system, p-values for the client computing system, the server computing system, and the event type for each of the plurality of machine level events based on the respective fitted Bayesian model;
  
  combining the determined p-values, by the monitoring computing system, to obtain a full posterior predictive p-value or an overall p-value;
  
  checking, by the monitoring computing system, whether an event generated for a given monitored computing system is anomalous with respect to the respective full posterior predictive p-value or overall p-value; and
  
  when the event is anomalous based on the full posterior predictive p-value or overall p-value, flagging the monitored computing system associated with the anomalous event as exhibiting anomalous behavior, by the monitoring computing system.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The computer-implemented method of claim 12, further comprising:
    - when the given event is not anomalous, updating, by the monitoring computing system, the fitted Bayesian model for the monitored computing system associated with the event.
  - 14. The computer-implemented method of claim 12, wherein the client computing system, the server computing system, and the event type are modeled by multinomial distributions with conjugate Dirichlet distribution priors.
  - 15. The computer-implemented method of claim 12, wherein for a client-server-event type triple (x, y, e) for the client computing system x, the server computing system y, and the event e observed at a time t, the full posterior predictive p-value is given by:
  - 16. The computer-implemented method of claim 12, wherein for a client-server-event type triple (x, y, e) for the client computing system x, the server computing system y, and the event e observed at a time t, the overall p-value is derived by combining conditional distributions p_x,t, p_y|x,tand p_e|xy,tfor the client computing system, the server computing system, and the event, respectively, the conditional distributions given by:

17. A computer-implemented method, comprising:
- independently considering, by a computing system, a time series of events generated by a plurality of user credentials and a plurality of monitored computing systems in a network, the time series of events comprising log events for each user credential and each monitored computing system of the plurality of monitored computing systems, the log events comprising a client computing system, a server computing system, and an event type;
  
  fitting Bayesian models to the time series of events for each of the plurality of user credentials and each of the plurality of monitored computing systems in the network;
  
  determining, by the monitoring computing system, p-values for the client computing system, the server computing system, and the event type for each of the plurality of user credentials and each of the plurality of machine level events based on the respective fitted Bayesian model;
  
  combining the determined p-values, by the monitoring computing system, to obtain a full posterior predictive p-value or an overall p-value;
  
  checking, by the computing system, whether an event generated for a given user credential or a given monitored computing system of the plurality of monitored computing systems is anomalous with respect to the respective full posterior predictive p-value or overall p-value for the given user credential or machine level event; and
  
  when the event is anomalous based on the full posterior predictive p-value or overall p-value, flagging, by the monitoring computing system, the given user credential or the given monitored computing system of the plurality of monitored computing systems as associated with anomalous behavior.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-implemented method of claim 17, further comprising:
    - when the event is not anomalous, updating, by the monitoring computing system, the fitted Bayesian model for the given credential or the given monitored computing system of the plurality of monitored computing systems.
  - 19. The computer-implemented method of claim 17, wherein for a client-server-event type triple (x, y, e) for the client computing system x, the server computing system y, and the event e observed at a time t, the full posterior predictive p-value is given by:
  - 20. The computer-implemented method of claim 17, wherein for a client-server-event type triple (x, y, e) for the client computing system x, the server computing system y, and the event e observed at a time t, the overall p-value is derived by combining conditional distributions p_x,t, p_y|x,tand p_e|xy,tfor the client computing system, the server computing system, and the event, respectively, the conditional distributions given by:

Specification

Resources

Litigation Campaign Assessment

Current Assignee
IP2IPO Innovations Limited (IP Group plc)
Original Assignee
TRIAD National Security, LLC
Inventors
Turcotte, Melissa J. M., Heard, Nicholas A., Kent, Alexander D.
Primary Examiner(s)
Vaughan, Michael R

Application Number

US15/355,142
Time in Patent Office

991 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/01   Protocols

Modeling behavior in a network using event logs

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Modeling behavior in a network using event logs

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links