Graph-based user tracking and threat detection

US 10,419,469 B1
Filed: 09/18/2018
Issued: 09/17/2019
Est. Priority Date: 11/27/2017
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

receive log data associated with at least one user session in a network environment associated with an original user, wherein the received log data comprises information associated with the original user provided by a plurality of machines;

generate a logical graph using at least a portion of the received log data, wherein the generated logical graph comprises a user login graph that models machines with which the original user interacts, and wherein the generated logical graph comprises;

(1) a first node corresponding to the original user, (2) at least a second node, and (3) a set of edges, wherein the set of edges includes at least one edge connecting the first node to the second node;

determine, using the generated logical graph, that a change has been made to the set of edges, wherein the change made to the set of edges is at least one of;

(1) an addition of an edge to the set, and (2) a modification to an edge that is already present in the set; and

in response to determining that the change has been made to the set of edges, automatically generating an alert that an anomaly in the network environment associated with the change in the set of edges has occurred; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Log data associated with at least one user session associated with an original user is received. A logical graph is generated using at least a portion of the received log data. One example of such a logical graph is a privilege change graph that models privilege changes between processes. Another example of such a logical graph is a user login graph that models machines with which the original user interacts. Another example of such a logical graph is a machine-server graph that clusters machines into nodes based on resources executing on the machine. The generated logical graph is used to detect an anomaly. The detected anomaly is recorded.

99 Citations

View as Search Results

33 Claims

1. A system, comprising:
- a processor configured to;
  
  receive log data associated with at least one user session in a network environment associated with an original user, wherein the received log data comprises information associated with the original user provided by a plurality of machines;
  
  generate a logical graph using at least a portion of the received log data, wherein the generated logical graph comprises a user login graph that models machines with which the original user interacts, and wherein the generated logical graph comprises;
  
  (1) a first node corresponding to the original user, (2) at least a second node, and (3) a set of edges, wherein the set of edges includes at least one edge connecting the first node to the second node;
  
  determine, using the generated logical graph, that a change has been made to the set of edges, wherein the change made to the set of edges is at least one of;
  
  (1) an addition of an edge to the set, and (2) a modification to an edge that is already present in the set; and
  
  in response to determining that the change has been made to the set of edges, automatically generating an alert that an anomaly in the network environment associated with the change in the set of edges has occurred; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system of claim 1 wherein using the generated logical graph to detect the anomaly includes detecting an anomaly associated with the original user.
  - 3. The system of claim 2 wherein the processor is configured to detect the anomaly associated with the original user at least in part by determining an anomaly associated with a second user that is different from the original user and determining an association between the second user and the original user.
  - 4. The system of claim 1 wherein the logical graph comprises an insider behavior graph, wherein the insider behavior graph models interactions of the original user with a network environment.
  - 5. The system of claim 1 wherein the logical graph comprises a privilege change graph, wherein the privilege change graph models privilege changes between processes.
  - 6. The system of claim 5 wherein the privilege changes are represented as edges in the privilege change graph.
  - 7. The system of claim 5 wherein the privilege change graph includes process hierarchy information.
  - 8. The system of claim 1 wherein the logical graph comprises a machine-server graph, wherein the machine-server graph clusters machines into nodes based on resources executing on the machine.
  - 9. The system of claim 1 wherein detecting the anomaly includes determining that the original user has logged in from an anomalous location.
  - 10. The system of claim 1 wherein detecting the anomaly includes determining that the original user has logged into an anomalous machine.
  - 11. The system of claim 10 wherein the anomalous machine has an associated machine class and wherein determining that the original user has logged into the anomalous machine includes determining that the original user has accessed an anomalous machine class.
  - 12. The system of claim 1 wherein detecting the anomaly includes determining that the original user has accessed an anomalous application.
  - 13. The system of claim 1 wherein detecting the anomaly includes determining that the original user has transmitted data to an anomalous destination.
  - 14. The system of claim 13 wherein the processor is further configured to determine that the anomalous destination is an anomalous destination based at least in part on geolocation information associated with the destination.
  - 15. The system of claim 1 wherein detecting the anomaly includes determining that the original user has transmitted an anomalous amount of data.
  - 16. The system of claim 1 wherein detecting the anomaly includes determining that the original user has made an anomalous privilege change.

17. A method, comprising:
- receiving log data associated with at least one user session in a network environment associated with an original user, wherein the received log data comprises information associated with the original user provided by a plurality of machines;
  
  generating a logical graph using at least a portion of the received log data, wherein the generated logical graph comprises a user login graph that models machines with which the original user interacts, and wherein the generated logical graph comprises;
  
  (1) a first node corresponding to the original user, (2) at least a second node, and (3) a set of edges, wherein the set of edges includes at least one edge connecting the first node to the second node;
  
  determining, using the generated logical graph, that a change has been made to the set of edges, wherein the change made to the set of edges is at least one of;
  
  (1) an addition of an edge to the set, and (2) a modification to an edge that is already present in the set; and
  
  in response to determining that the change has been made to the set of edges, automatically generating an alert that an anomaly in the network environment associated with the change in the set of edges has occurred.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 33)
- - 18. The method of claim 17 wherein using the generated logical graph to detect the anomaly includes detecting an anomaly associated with the original user.
  - 19. The method of claim 17 wherein the logical graph comprises an insider behavior graph, wherein the insider behavior graph models interactions of the original user with a network environment.
  - 20. The method of claim 17 wherein the logical graph comprises a privilege change graph, wherein the privilege change graph models privilege changes between processes.
  - 21. The method of claim 20 wherein the privilege changes are represented as edges in the privilege change graph.
  - 22. The method of claim 20 wherein the privilege change graph includes process hierarchy information.
  - 23. The method of claim 17 wherein the logical graph comprises a machine-server graph, wherein the machine-server graph clusters machines into nodes based on resources executing on the machine.
  - 24. The method of claim 17 wherein detecting the anomaly includes determining that the original user has logged in from an anomalous location.
  - 25. The method of claim 17 wherein detecting the anomaly includes determining that the original user has logged into an anomalous machine.
  - 26. The method of claim 25 wherein the anomalous machine has an associated machine class and wherein determining that the original user has logged into the anomalous machine includes determining that the original user has accessed an anomalous machine class.
  - 27. The method of claim 17 wherein detecting the anomaly includes determining that the original user has accessed an anomalous application.
  - 28. The method of claim 17 wherein detecting the anomaly includes determining that the original user has transmitted data to an anomalous destination.
  - 29. The method of claim 28 further comprising determining that the anomalous destination is an anomalous destination based at least in part on geolocation information associated with the destination.
  - 30. The method of claim 17 wherein detecting the anomaly includes determining that the original user has transmitted an anomalous amount of data.
  - 31. The method of claim 17 wherein detecting the anomaly includes determining that the original user has made an anomalous privilege change.
  - 33. The method of claim 18 wherein detecting the anomaly associated with the original user includes determining an anomaly associated with a second user that is different from the original user and determining an association between the second user and the original user.

32. A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- receiving log data associated with at least one user session in a network environment associated with an original user, wherein the received log data comprises information associated with the original user provided by a plurality of machines;
  
  generating a logical graph using at least a portion of the received log data, wherein the generated logical graph comprises a user login graph that models machines with which the original user interacts, and wherein the generated logical graph comprises;
  
  (1) a first node corresponding to the original user, (2) at least a second node, and (3) a set of edges, wherein the set of edges includes at least one edge connecting the first node to the second node;
  
  determining, using the generated logical graph, that a change has been made to the set of edges, wherein the change made to the set of edges is at least one of;
  
  (1) an addition of an edge to the set, and (2) a modification to an edge that is already present in the set; and
  
  in response to determining that the change has been made to the set of edges, automatically generating an alert that an anomaly in the network environment associated with the change in the set of edges has occurred.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lacework Inc.
Original Assignee
Lacework Inc.
Inventors
Singh, Harish Kumar Bharat, Kapoor, Vikram, Bog, Murat, Chen, Yijou
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US16/134,821
Time in Patent Office

364 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2456   Join operations

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 16/9038   Presentation of query results

G06F 16/9535   Search customisation based ...

G06F 16/9537   Spatial or temporal depende...

G06F 21/57   Certifying or maintaining t...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/545   where tasks reside in diffe...

H04L 43/045   for graphical visualisation...

H04L 43/06   Generation of reports

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/306   User profiles

H04L 67/535   Tracking the activity of th...

Graph-based user tracking and threat detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

99 Citations

33 Claims

Specification

Use Cases

Quick Links

Others

Graph-based user tracking and threat detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

99 Citations

33 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others