Lateral movement detection for network security analysis
First Claim
1. A method comprising:
- receiving, by a computer system, first data indicative of computer network activity of a plurality of users and network devices;
assigning, by the computer system, usage similarity scores to the network devices based on the first data, the usage similarity scores being indicative of which of the network devices have been shared by a user or by a group of users who satisfy a similarity criterion;
receiving, by the computer system, second data indicative of computer network activity of a particular user of the plurality of users; and
detecting, by the computer system and in response to the second data, an anomaly indicative that the particular user has interacted with a particular network device with which the particular user does not normally interact, based on the usage similarity scores.
1 Assignment
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
-
Citations
30 Claims
-
1. A method comprising:
-
receiving, by a computer system, first data indicative of computer network activity of a plurality of users and network devices; assigning, by the computer system, usage similarity scores to the network devices based on the first data, the usage similarity scores being indicative of which of the network devices have been shared by a user or by a group of users who satisfy a similarity criterion; receiving, by the computer system, second data indicative of computer network activity of a particular user of the plurality of users; and detecting, by the computer system and in response to the second data, an anomaly indicative that the particular user has interacted with a particular network device with which the particular user does not normally interact, based on the usage similarity scores. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A computing device comprising:
-
a processor; and a memory storing instructions, execution of which by the processor will cause the computing device to perform a process including; receiving first data indicative of computer network activity of a plurality of users and network devices in a computer network; assigning usage similarity scores to the network devices based on the first data, the usage similarity scores being indicative of which of the network devices have been shared by a user or by a group of users who satisfy a similarity criterion; receiving second data indicative of computer network activity of a particular user of the plurality of users; and in response to the second data, detecting an anomaly indicative that the particular user has interacted with a particular network device with which the particular user does not normally interact, based on the usage similarity scores.
-
-
30. A non-transitory machine readable storage medium storing instructions, execution of which in a machine will cause the machine to perform a process including:
-
receiving, by the machine, first data indicative of computer network activity of a plurality of users and network devices in a computer network; assigning, by the machine, usage similarity scores to the network devices based on the first data, the usage similarity scores being indicative of which of the network devices have been shared by a user or by a group of users who satisfy a similarity criterion; receiving, by the machine, second data indicative of computer network activity of a particular user of the plurality of users; and detecting, by the machine and in response to the second data, an anomaly indicative that the particular user has interacted with a particular network device with which the particular user does not normally interact, based on the usage similarity scores.
-
Specification