Lateral movement detection through graph-based candidate selection

US 10,462,169 B2
Filed: 04/29/2017
Issued: 10/29/2019
Est. Priority Date: 04/29/2017
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

accessing, by a computer system, event data indicative of a plurality of events related to a plurality of entities associated with a network;

identifying, by the computer system, based on the event data, lateral movement candidate entities by identifying a subset of the plurality of entities as being associated with particular events that indicate lateral movement in the network;

creating, by the computer system, based on the event data, a graph data structure that is indicative of a sequence of events associated with the lateral movement candidate entities, wherein the graph data structure includes a plurality of nodes and one or more connections between the nodes, each of the nodes represents an entity of the plurality of entities and is associated, via the graph data structure, with a feature vector that is derived from a set of events that are associated with the node, and a connection from a first node to a second node in the graph data structure represents a sequence of events in the plurality of events; and

analyzing, by the computer system, the graph data structure to identify a potential security threat by identifying a subset of the lateral movement candidate entities that are associated with a particular sequence of events.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A lateral movement application identifies lateral movement (LM) candidates that potentially represent a security threat. Security platforms generate event data when performing security-related functions, such as authenticating a user account. The disclosed technology enables greatly increased accuracy identification of lateral movement (LM) candidates by, for example, refining a population of LM candidates based on an analysis of a time constrained graph in which nodes represent entities, and edges between nodes represent a time sequence of login or other association activities between the entities. The graph is created based on an analysis of the event data, including time sequences of the event data.

16 Citations

View as Search Results

28 Claims

1. A method, comprising:
- accessing, by a computer system, event data indicative of a plurality of events related to a plurality of entities associated with a network;
  
  identifying, by the computer system, based on the event data, lateral movement candidate entities by identifying a subset of the plurality of entities as being associated with particular events that indicate lateral movement in the network;
  
  creating, by the computer system, based on the event data, a graph data structure that is indicative of a sequence of events associated with the lateral movement candidate entities, wherein the graph data structure includes a plurality of nodes and one or more connections between the nodes, each of the nodes represents an entity of the plurality of entities and is associated, via the graph data structure, with a feature vector that is derived from a set of events that are associated with the node, and a connection from a first node to a second node in the graph data structure represents a sequence of events in the plurality of events; and
  
  analyzing, by the computer system, the graph data structure to identify a potential security threat by identifying a subset of the lateral movement candidate entities that are associated with a particular sequence of events.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The method of claim 1, wherein each entity of the plurality of entities is a user account, a computing device, or an application, and wherein the graph data structure represents a time constrained graph.
  - 3. The method of claim 1, wherein the sequence of events includes a first event associated with the first node that occurred before a second event associated with the second node, wherein a connection from the first node to the second node in the graph data structure represents a determination that the first event occurred before the second event, and wherein the first event and the second event are part of the particular sequence of events.
  - 4. The method of claim 1, wherein the event data include data obtained from a log file generated by a security platform, and wherein the security platform is any of Active Directory, a firewall, or an endpoint application.
  - 5. The method of claim 1, wherein the event data include data obtained from a log file generated by a security platform, wherein the security platform is any of Active Directory, a firewall, an endpoint application, or an application that generates event data, wherein the event data is streamed by a security platform, and wherein the event data is accessed by receiving the streamed event data.
  - 6. The method of claim 1, wherein the identifying the lateral movement candidate entities includes:
    - accessing a data store that includes data associated with selected events, wherein the selected events are indicative of lateral movement;
      
      determining, based on the data store access, that the selected events include the particular events that indicate lateral movement;
      
      determining which of the plurality of entities are associated with the particular events to determine the subset of the plurality of entities, the subset of the plurality of entities being lateral movement candidate entities; and
      
      identifying each entity in the subset of the entities as being a lateral movement candidate entity.
  - 7. The method of claim 1, wherein the identifying the lateral movement candidate entities includes:
    - accessing a data store that includes data associated with selected events, wherein each selected event of the selected events is included in the data store after a determination has been made that the selected event is indicative of lateral movement, and wherein the identifying the subset of the plurality of entities includes based on the event data includes identifying an entity of the subset of the plurality of entities based on an anomaly.
  - 8. The method of claim 1, wherein the identifying the lateral movement candidate entities includes:
    - accessing a data store that includes data associated with selected events, wherein the selected events are indicative of lateral movement, and wherein each of the selected events has an associated weight factor; and
      
      for each entity of the plurality of entities;
      
      identifying a subset of the event data that is associated with the entity;
      
      obtaining, based on the data store access, a weight factor for each event of the subset of event data;
      
      calculating an entity weight factor for the entity based on the weight factor for each event;
      
      when the entity weight factor is above a threshold, including the entity in the subset of the plurality of entities that are lateral movement candidate entities.
  - 9. The method of claim 1, wherein the creating the graph data structure that is indicative of the sequence of events includes:
    - associating data with a node of the graph data structure, wherein the data is derived from a subset of the event data associated with the node;
      
      analyzing the event data to determine the sequence of events; and
      
      creating connections between the nodes to represent the sequence of events.
  - 10. The method of claim 1, wherein the creating the graph data structure that is indicative of the sequence of events includes:
    - for each entity of the plurality of entities;
      
      creating a node in a data structure to represent the entity;
      
      identifying a subset of the event data that are associated with the node;
      
      creating a feature vector that is derived from the subset of the event data; and
      
      associating the feature vector with the node;
      
      analyzing the event data to determine the sequence of events; and
      
      creating connections between the nodes to represent the sequence of events.
  - 11. The method of claim 1, wherein the creating the graph data structure that is indicative of the sequence of events includes:
    - associating one or more feature vectors with a node that represents an entity, wherein each of the one or more feature vectors is derived from the subset of the event data and has an associated weight factor;
      
      creating connections between the node and other nodes to represent the sequence of events; and
      
      calculating a path value for a path based on entity and feature weight factors.
  - 12. The method of claim 1, wherein the analyzing the graph data structure to identify the potential security threat includes:
    - accessing a data store that includes data associated with a plurality of sequences of events, wherein the data store includes a sequence weight factor for a particular sequence of events; and
      
      identifying one or more entities that are associated with a particular sequence of events as being the subset of the lateral movement candidate entities based on the sequence weight factor associated with the particular sequence.
  - 13. The method of claim 1, wherein the analyzing the graph data structure to identify the potential security threat includes:
    - accessing a data store that includes data associated with a plurality of sequences of events, wherein each of the sequences of events is indicative of lateral movement;
      
      determining, based on the data store access, that the sequences of events include the particular sequence of events; and
      
      identifying the subset of lateral movement candidate entities by determining which of the plurality of entities are associated with the particular sequence of events.
  - 14. The method of claim 1, wherein the analyzing the graph data structure to identify the potential security threat includes:
    - accessing a data store that includes data associated with a plurality of sequences of events, wherein each of the sequences of events is indicative of lateral movement;
      
      determining, based on the data store access, that the sequences of events include the particular sequence of events; and
      
      identifying the subset of lateral movement candidate entities by determining which of the plurality of entities are associated with the particular sequence of events, wherein each sequence of the plurality of sequences of events was included in the data store after a determination was made that the sequence is indicative of lateral movement.
  - 15. The method of claim 1, wherein the analyzing the graph data structure to identify the potential security threat includes determining which of the plurality of entities are the lateral movement candidate entities after a determination was made that a particular subset of the entities is associated with a particular set of feature vectors that are associated with the particular sequence of network events.
  - 16. The method of claim 1, wherein the identifying the lateral movement candidate entities includes identifying a particular entity as being a lateral movement candidate entity based on a determination that a particular event associated with the particular entity is one of the following types of events:
    - an event that meets a requirement for being classified as a rare event,an event that is indicative of a blacklisted application or process,an event that is indicative of a user enumeration attack,an event that is indicative of an anomalous event,an event that is indicative of a privilege elevation,an event that is indicative of a security violation,an event that is indicative of a suspicious task,an event that is indicative of a number of process creation events above a predetermined threshold,an event that is indicative of a number of ports scanned above a predetermined threshold,an event that is indicate of expanding access,an event that is indicative of a shadow copy of Active Directory data,an event that is indicative of suspicious activity, oran event that is indicative of a suspicious login chain.
  - 17. The method of claim 1, wherein the identifying the lateral movement candidate entities includes identifying a particular entity as being a lateral movement candidate entity based on a determination that a particular event associated with the particular entity is indicative of a shadow copy of Active Directory data, and wherein the particular event comprises a plurality of events.
  - 18. The method of claim 1, wherein the identifying the lateral movement candidate entities includes identifying a particular entity as being a lateral movement candidate entity based on a determination that a particular event associated with the particular entity is an event that meets a requirement for being classified as a rare event, and wherein the requirement for a particular event being classified as a rare event is that the particular event occurs with a frequency below a predetermined threshold.
  - 19. The method of claim 1, wherein the identifying the lateral movement candidate entities includes identifying a particular entity as being a lateral movement candidate entity based on a determination that a particular event associated with the particular entity is an event that is indicative of a blacklisted application or process, and wherein the particular event is indicative of a blacklisted application or process when the particular event is associated with an application or process that is included in a data store of blacklisted applications or processes.
  - 20. The method of claim 1, wherein the particular sequence of events includes a first event that is indicative of a privilege elevation associated with a user account, and a second event that is indicative of a login associated with the user account.
  - 21. The method of claim 1, wherein the identifying the lateral movement candidate entities includes identifying a particular entity as being a lateral movement candidate entity based on a determination that a particular event associated with the particular entity is an event that is indicative of a suspicious login chain.
  - 22. The method of claim 1, wherein the identifying the lateral movement candidate entities includes identifying a particular entity as being a lateral movement candidate entity based on a determination that a particular event associated with the particular entity is an event that is indicative of a privilege elevation.
  - 23. The method of claim 1, further comprising:
    - analyzing the graph data structure to determine that a particular event is unlikely to represent a security threat; and
      
      removing a particular entity from the lateral movement candidate entities based on the particular event being identified as being unlikely to represent a security threat.
  - 24. The method of claim 1, wherein the identifying the lateral movement candidate entities includes identifying a particular entity as being a lateral movement candidate entity based on a determination that a particular event associated with the particular entity is an event that is indicative of a user enumeration attack.
  - 25. The method of claim 1, wherein the identifying the lateral movement candidate entities includes identifying a particular entity as being a lateral movement candidate entity based on a determination that a particular event associated with the particular entity is an event that is indicative of a number of process creation events above a predetermined threshold.
  - 26. The method of claim 1, wherein the identifying the lateral movement candidate entities includes identifying a particular entity as being a lateral movement candidate entity based on a determination that a particular event associated with the particular entity is an event that is indicative of a number of ports scanned above a predetermined threshold.

27. A computing device, comprising:
- a processor; and
  
  a memory storing instructions that, when executed by the processor, cause the processor to perform a process including;
  
  accessing event data indicative of a plurality of events related to a plurality of entities associated with a network;
  
  identifying, based on the event data, lateral movement candidate entities by identifying a subset of the plurality of entities as being associated with particular events that indicate lateral movement in the network;
  
  creating, based on the event data, a graph data structure that is indicative of a sequence of events associated with the lateral movement candidate entities, wherein the graph data structure includes a plurality of nodes and one or more connections between the nodes, each of the nodes represents an entity of the plurality of entities and is associated, via the graph data structure, with a feature vector that is derived from a set of events that are associated with the node, and a connection from a first node to a second node in the graph data structure represents a sequence of events in the plurality of events; and
  
  analyzing, the graph data structure to identify a potential security threat by identifying a subset of the lateral movement candidate entities that are associated with a particular sequence of events.

28. A non-transitory machine-readable storage medium storing instructions which, when executed by at least one processor, cause the at least one processor to perform operations, comprising:
- accessing event data indicative of a plurality of events related to a plurality of entities associated with a network;
  
  identifying, based on the event data, lateral movement candidate entities by identifying a subset of the plurality of entities as being associated with particular events that indicate lateral movement in the network;
  
  creating, based on the event data, a graph data structure that is indicative of a sequence of events associated with the lateral movement candidate entities, wherein the graph data structure includes a plurality of nodes and one or more connections between the nodes, each of the nodes represents an entity of the plurality of entities and is associated, via the graph data structure, with a feature vector that is derived from a set of events that are associated with the node, and a connection from a first node to a second node in the graph data structure represents a sequence of events in the plurality of events; and
  
  analyzing, the graph data structure to identify a potential security threat by identifying a subset of the lateral movement candidate entities that are associated with a particular sequence of events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Joseph Durairaj, Satheesh Kumar, Miskovic, Stanislav, Apostolopoulos, Georgios
Primary Examiner(s)
Rahim, Monjur

Application Number

US15/582,645
Publication Number

US 20180316704A1
Time in Patent Office

913 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 21/316   by observing the pattern of...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06N 20/00   Machine learning

G06N 5/022   Knowledge engineering; Know...

G06N 7/01   Probabilistic graphical mod...

H04L 41/142   using statistical or mathem...

H04L 41/145   involving simulating, desig...

H04L 41/22   comprising specially adapte...

H04L 63/1425   Traffic logging, e.g. anoma...

Lateral movement detection through graph-based candidate selection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Lateral movement detection through graph-based candidate selection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links