Malicious threat detection through time series graph analysis
First Claim
1. A computer-implemented method comprising:
- receiving, by a data analysis device, a data file comprising multiple log data entries, the log data entries including parameters that describe a computer network event in a computing network that is under evaluation for cybersecurity purposes;
producing, using a graphics processor of the data analysis device, a graphical model of the computing network that is under evaluation for cybersecurity purposes based on at least one parameter obtained from the log data entries, wherein vertices of the graphical model each represent a computing asset, and edges of the graphical model each represent one of the multiple log data entries;
applying a graph analytic measure to the graphical model to enrich each vertex of the graphical model that represents a computing asset of the computing network that is under evaluation for cybersecurity purposes based on a respective centrality measure of the vertex that identifies vertices in the graphical model that are indicated as most central or important;
performing, using at least the graphics processor, a time-series analysis on the graphical model whose vertices have been enriched based on the centrality measures to determine a relative importance of each vertex in the computing network;
detecting, based on the times-series analysis on the graphical model, a shift of the parameter at one or more vertices of the graphical model relative to a threshold over a time series of the graphical model; and
determining, based on (i) detecting the shift of the parameter at the one or more vertices of the graphical model relative to the threshold over the time series of the graphical model and (ii) false positive handling functionality defining known good computing assets in the computing network that periodically generate sudden shifts in relative importance, whether at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network has occurred.
1 Assignment
0 Petitions
Accused Products
Abstract
Malicious threat detection through time-series graph analysis, in which a data analysis device receives a data file comprising multiple log data entries. The log data entries include parameters associated with a computer network event in a computing network. The data analysis device produces a graphical model of the computing network based on at least one parameter included in the log data. The data analysis device also identifies a parameter associated with a node of the computer network represented by the graphical model, and performs a time-series analysis on the parameter. The data analysis device further determines, based on the time-series analysis on the parameter, at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network.
25 Citations
20 Claims
-
1. A computer-implemented method comprising:
-
receiving, by a data analysis device, a data file comprising multiple log data entries, the log data entries including parameters that describe a computer network event in a computing network that is under evaluation for cybersecurity purposes; producing, using a graphics processor of the data analysis device, a graphical model of the computing network that is under evaluation for cybersecurity purposes based on at least one parameter obtained from the log data entries, wherein vertices of the graphical model each represent a computing asset, and edges of the graphical model each represent one of the multiple log data entries; applying a graph analytic measure to the graphical model to enrich each vertex of the graphical model that represents a computing asset of the computing network that is under evaluation for cybersecurity purposes based on a respective centrality measure of the vertex that identifies vertices in the graphical model that are indicated as most central or important; performing, using at least the graphics processor, a time-series analysis on the graphical model whose vertices have been enriched based on the centrality measures to determine a relative importance of each vertex in the computing network; detecting, based on the times-series analysis on the graphical model, a shift of the parameter at one or more vertices of the graphical model relative to a threshold over a time series of the graphical model; and determining, based on (i) detecting the shift of the parameter at the one or more vertices of the graphical model relative to the threshold over the time series of the graphical model and (ii) false positive handling functionality defining known good computing assets in the computing network that periodically generate sudden shifts in relative importance, whether at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network has occurred. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 19)
-
-
10. An electronic system comprising:
-
one or more processing devices; and one or more non-transitory machine-readable storage devices storing instructions that are executable by the one or more processing devices to perform operations comprising; receiving, by a data analysis device, a data file comprising multiple log data entries, the log data entries including parameters that describe a computer network event in a computing network that is under evaluation for cybersecurity purposes; producing, using a graphics processor of the data analysis device, a graphical model of the computing network that is under evaluation for cybersecurity purposes based on at least one parameter obtained from the log data entries, wherein vertices of the graphical model each represent a computing asset, and edges of the graphical model each represent one of the multiple log data entries; applying a graph analytic measure to the graphical model to enrich each vertex of the graphical model that represents a computing asset of the computing network that is under evaluation for cybersecurity purposes based on a respective centrality measure of the vertex that identifies vertices in the graphical model that are indicated as most central or important; performing, using at least the graphics processor, a time-series analysis on the graphical model whose vertices have been enriched based on the centrality measures to determine a relative importance of each vertex in the computing network; detecting, based on the times-series analysis on the graphical model, a shift of the parameter at one or more vertices of the graphical model relative to a threshold over a time series of the graphical model; and determining, based on (i) detecting the shift of the parameter at the one or more vertices of the graphical model relative to the threshold over the time series of the time series analysis on the graphical model and (ii) false positive handling functionality defining known good computing assets in the computing network that periodically generate sudden shifts in relative importance, whether at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network has occurred. - View Dependent Claims (11, 12, 13, 14, 15, 16, 20)
-
-
17. A non-transitory computer storage unit disposed in a data analysis device and encoded with a computer program, the program comprising instructions that when executed by one or more processing units cause performance of operations comprising:
-
receiving, by a data analysis device, a data file comprising multiple log data entries, the log data entries including parameters that describe a computer network event in a computing network that is under evaluation for cybersecurity purposes; producing, using a graphics processor of the data analysis device, a graphical model of the computing network that is under evaluation for cybersecurity purposes based on at least one parameter obtained from the log data entries, wherein vertices of the graphical model each represent a computing asset, and edges of the graphical model each represent one of the multiple log data entries; applying a graph analytic measure to the graphical model to enrich each vertex of the graphical model that represents a computing asset of the computing network that is under evaluation for cybersecurity purposes based on a respective centrality measure of the vertex that identifies vertices in the graphical model that are indicated as most central or important; performing, using at least the graphics processor, a time-series analysis on the graphical model whose vertices have been enriched based on the centrality measures to determine a relative importance of each vertex in the computing network; detecting, based on the times-series analysis on the graphical model, a shift of the parameter at one or more vertices of the graphical model relative to a threshold over a time series of the graphical model; and determining, based on (i) detecting the shift of the parameter at the one or more vertices of the graphical model relative to the threshold over the time series of the graphical model and (ii) false positive handling functionality defining known good computing assets in the computing network that periodically generate sudden shifts in relative importance, whether at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network has occurred. - View Dependent Claims (18)
-
Specification