×

Malicious threat detection through time series graph analysis

  • US 10,476,896 B2
  • Filed: 09/13/2016
  • Issued: 11/12/2019
  • Est. Priority Date: 09/13/2016
  • Status: Active Grant
First Claim
Patent Images

1. A computer-implemented method comprising:

  • receiving, by a data analysis device, a data file comprising multiple log data entries, the log data entries including parameters that describe a computer network event in a computing network that is under evaluation for cybersecurity purposes;

    producing, using a graphics processor of the data analysis device, a graphical model of the computing network that is under evaluation for cybersecurity purposes based on at least one parameter obtained from the log data entries, wherein vertices of the graphical model each represent a computing asset, and edges of the graphical model each represent one of the multiple log data entries;

    applying a graph analytic measure to the graphical model to enrich each vertex of the graphical model that represents a computing asset of the computing network that is under evaluation for cybersecurity purposes based on a respective centrality measure of the vertex that identifies vertices in the graphical model that are indicated as most central or important;

    performing, using at least the graphics processor, a time-series analysis on the graphical model whose vertices have been enriched based on the centrality measures to determine a relative importance of each vertex in the computing network;

    detecting, based on the times-series analysis on the graphical model, a shift of the parameter at one or more vertices of the graphical model relative to a threshold over a time series of the graphical model; and

    determining, based on (i) detecting the shift of the parameter at the one or more vertices of the graphical model relative to the threshold over the time series of the graphical model and (ii) false positive handling functionality defining known good computing assets in the computing network that periodically generate sudden shifts in relative importance, whether at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network has occurred.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×