Lateral movement detection through graph-based candidate selection
First Claim
Patent Images
1. A method, comprising:
- accessing, by a computer system, event data indicative of a plurality of events related to a plurality of entities associated with a network;
identifying, by the computer system, based on the event data, lateral movement candidate entities by identifying a subset of the plurality of entities as being associated with particular events that indicate lateral movement in the network;
creating, by the computer system, based on the event data, a graph data structure that is indicative of a sequence of events associated with the lateral movement candidate entities, wherein the graph data structure includes a plurality of nodes and one or more connections between the nodes, each of the nodes represents an entity of the plurality of entities and is associated, via the graph data structure, with a feature vector that is derived from a set of events that are associated with the node, and a connection from a first node to a second node in the graph data structure represents a sequence of events in the plurality of events; and
analyzing, by the computer system, the graph data structure to identify a potential security threat by identifying a subset of the lateral movement candidate entities that are associated with a particular sequence of events.
1 Assignment
0 Petitions
Accused Products
Abstract
A lateral movement application identifies lateral movement (LM) candidates that potentially represent a security threat. Security platforms generate event data when performing security-related functions, such as authenticating a user account. The disclosed technology enables greatly increased accuracy identification of lateral movement (LM) candidates by, for example, refining a population of LM candidates based on an analysis of a time constrained graph in which nodes represent entities, and edges between nodes represent a time sequence of login or other association activities between the entities. The graph is created based on an analysis of the event data, including time sequences of the event data.
-
Citations
28 Claims
-
1. A method, comprising:
-
accessing, by a computer system, event data indicative of a plurality of events related to a plurality of entities associated with a network; identifying, by the computer system, based on the event data, lateral movement candidate entities by identifying a subset of the plurality of entities as being associated with particular events that indicate lateral movement in the network; creating, by the computer system, based on the event data, a graph data structure that is indicative of a sequence of events associated with the lateral movement candidate entities, wherein the graph data structure includes a plurality of nodes and one or more connections between the nodes, each of the nodes represents an entity of the plurality of entities and is associated, via the graph data structure, with a feature vector that is derived from a set of events that are associated with the node, and a connection from a first node to a second node in the graph data structure represents a sequence of events in the plurality of events; and analyzing, by the computer system, the graph data structure to identify a potential security threat by identifying a subset of the lateral movement candidate entities that are associated with a particular sequence of events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A computing device, comprising:
-
a processor; and a memory storing instructions that, when executed by the processor, cause the processor to perform a process including; accessing event data indicative of a plurality of events related to a plurality of entities associated with a network; identifying, based on the event data, lateral movement candidate entities by identifying a subset of the plurality of entities as being associated with particular events that indicate lateral movement in the network; creating, based on the event data, a graph data structure that is indicative of a sequence of events associated with the lateral movement candidate entities, wherein the graph data structure includes a plurality of nodes and one or more connections between the nodes, each of the nodes represents an entity of the plurality of entities and is associated, via the graph data structure, with a feature vector that is derived from a set of events that are associated with the node, and a connection from a first node to a second node in the graph data structure represents a sequence of events in the plurality of events; and analyzing, the graph data structure to identify a potential security threat by identifying a subset of the lateral movement candidate entities that are associated with a particular sequence of events.
-
-
28. A non-transitory machine-readable storage medium storing instructions which, when executed by at least one processor, cause the at least one processor to perform operations, comprising:
-
accessing event data indicative of a plurality of events related to a plurality of entities associated with a network; identifying, based on the event data, lateral movement candidate entities by identifying a subset of the plurality of entities as being associated with particular events that indicate lateral movement in the network; creating, based on the event data, a graph data structure that is indicative of a sequence of events associated with the lateral movement candidate entities, wherein the graph data structure includes a plurality of nodes and one or more connections between the nodes, each of the nodes represents an entity of the plurality of entities and is associated, via the graph data structure, with a feature vector that is derived from a set of events that are associated with the node, and a connection from a first node to a second node in the graph data structure represents a sequence of events in the plurality of events; and analyzing, the graph data structure to identify a potential security threat by identifying a subset of the lateral movement candidate entities that are associated with a particular sequence of events.
-
Specification