Graph-based user tracking and threat detection
First Claim
Patent Images
1. A system, comprising:
- a processor configured to;
receive log data associated with at least one user session in a network environment associated with an original user, wherein the received log data comprises information associated with the original user provided by a plurality of machines;
generate a logical graph using at least a portion of the received log data, wherein the generated logical graph comprises a user login graph that models machines with which the original user interacts, and wherein the generated logical graph comprises;
(1) a first node corresponding to the original user, (2) at least a second node, and (3) a set of edges, wherein the set of edges includes at least one edge connecting the first node to the second node;
determine, using the generated logical graph, that a change has been made to the set of edges, wherein the change made to the set of edges is at least one of;
(1) an addition of an edge to the set, and (2) a modification to an edge that is already present in the set; and
in response to determining that the change has been made to the set of edges, automatically generating an alert that an anomaly in the network environment associated with the change in the set of edges has occurred; and
a memory coupled to the processor and configured to provide the processor with instructions.
1 Assignment
0 Petitions
Accused Products
Abstract
Log data associated with at least one user session associated with an original user is received. A logical graph is generated using at least a portion of the received log data. One example of such a logical graph is a privilege change graph that models privilege changes between processes. Another example of such a logical graph is a user login graph that models machines with which the original user interacts. Another example of such a logical graph is a machine-server graph that clusters machines into nodes based on resources executing on the machine. The generated logical graph is used to detect an anomaly. The detected anomaly is recorded.
99 Citations
33 Claims
-
1. A system, comprising:
-
a processor configured to; receive log data associated with at least one user session in a network environment associated with an original user, wherein the received log data comprises information associated with the original user provided by a plurality of machines; generate a logical graph using at least a portion of the received log data, wherein the generated logical graph comprises a user login graph that models machines with which the original user interacts, and wherein the generated logical graph comprises;
(1) a first node corresponding to the original user, (2) at least a second node, and (3) a set of edges, wherein the set of edges includes at least one edge connecting the first node to the second node;determine, using the generated logical graph, that a change has been made to the set of edges, wherein the change made to the set of edges is at least one of;
(1) an addition of an edge to the set, and (2) a modification to an edge that is already present in the set; andin response to determining that the change has been made to the set of edges, automatically generating an alert that an anomaly in the network environment associated with the change in the set of edges has occurred; and a memory coupled to the processor and configured to provide the processor with instructions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method, comprising:
-
receiving log data associated with at least one user session in a network environment associated with an original user, wherein the received log data comprises information associated with the original user provided by a plurality of machines; generating a logical graph using at least a portion of the received log data, wherein the generated logical graph comprises a user login graph that models machines with which the original user interacts, and wherein the generated logical graph comprises;
(1) a first node corresponding to the original user, (2) at least a second node, and (3) a set of edges, wherein the set of edges includes at least one edge connecting the first node to the second node;determining, using the generated logical graph, that a change has been made to the set of edges, wherein the change made to the set of edges is at least one of;
(1) an addition of an edge to the set, and (2) a modification to an edge that is already present in the set; andin response to determining that the change has been made to the set of edges, automatically generating an alert that an anomaly in the network environment associated with the change in the set of edges has occurred. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 33)
-
-
32. A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
-
receiving log data associated with at least one user session in a network environment associated with an original user, wherein the received log data comprises information associated with the original user provided by a plurality of machines; generating a logical graph using at least a portion of the received log data, wherein the generated logical graph comprises a user login graph that models machines with which the original user interacts, and wherein the generated logical graph comprises;
(1) a first node corresponding to the original user, (2) at least a second node, and (3) a set of edges, wherein the set of edges includes at least one edge connecting the first node to the second node;determining, using the generated logical graph, that a change has been made to the set of edges, wherein the change made to the set of edges is at least one of;
(1) an addition of an edge to the set, and (2) a modification to an edge that is already present in the set; andin response to determining that the change has been made to the set of edges, automatically generating an alert that an anomaly in the network environment associated with the change in the set of edges has occurred.
-
Specification