Multi-signal analysis for compromised scope identification
First Claim
Patent Images
1. A method for detecting compromised scopes in an online service, comprising:
- receiving detection results of behaviors occurring on devices within the online service;
scoring each of the detection results based on how anomalous the respective behaviors are within the online service, wherein each of the detection results are scored based on a ratio between a subpopulation count and a population count for the respective behaviors within the online service;
excluding one or more of the scored detection results having one or more of a subpopulation count and a population count for the behaviors below one or more of a subpopulation threshold and a population threshold, respectively;
organizing a remaining one or more of the scored detection results according to scopes;
applying multi-signal detection logic to a given scope from the scopes to produce a confidence score indicating whether the given scope is compromised;
determining whether to present an alert of the given scope being compromised based on comparing the confidence score to an alert threshold; and
in response to determining that the alert is to be presented of the given scope being compromised, generating and transmitting the alert.
1 Assignment
0 Petitions
Accused Products
Abstract
Detecting compromised devices and user accounts within an online service via multi-signal analysis allows for fewer false positives and thus a more accurate allocation of computing resources and human analyst resources. Individual scopes of analysis, related to devices, accounts, or processes are specified and multiple behaviors over a period of time are analyzed to detect persistent (and slow acting) threats as well as brute force (and fast acting) threats. Analysts are alerted to individually affected scopes suspected of being compromised and may address them accordingly.
-
Citations
20 Claims
-
1. A method for detecting compromised scopes in an online service, comprising:
-
receiving detection results of behaviors occurring on devices within the online service; scoring each of the detection results based on how anomalous the respective behaviors are within the online service, wherein each of the detection results are scored based on a ratio between a subpopulation count and a population count for the respective behaviors within the online service; excluding one or more of the scored detection results having one or more of a subpopulation count and a population count for the behaviors below one or more of a subpopulation threshold and a population threshold, respectively; organizing a remaining one or more of the scored detection results according to scopes; applying multi-signal detection logic to a given scope from the scopes to produce a confidence score indicating whether the given scope is compromised; determining whether to present an alert of the given scope being compromised based on comparing the confidence score to an alert threshold; and in response to determining that the alert is to be presented of the given scope being compromised, generating and transmitting the alert. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system including a processor and a memory storage device storing instructions that when executed by the processor provide for detecting compromised scopes in an online service, comprising:
-
a signature anomaly scorer, configured to; receive a given detection result of an event observed occurring in the online service; determine an extent to which a behavior associated with the given detection result has been previously observed as occurring in the online service by determining a subpopulation count and a population count for the behavior in the online service; produce an anomaly score to be associated with the given detection result based on a ratio between the subpopulation count and the population count for the behavior; and determine the subpopulation count and the population count for the behavior is above a subpopulation threshold and a population threshold, respectively; and a multi-signal detector in communication with the signature anomaly scorer, configured to; receive one or more detection results sharing a scope in the online service with the given detection result; receive, from the signature anomaly scorer, the anomaly score associated with the given detection result; extract features from the given detection result and the one or more detection results sharing the scope, the features including the anomaly score; and generate a confidence score based on the extracted features for whether the scope is compromised. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A computer readable storage device including processor executable instructions for detecting compromised scopes in an online service, comprising:
-
receiving detection results of behaviors occurring on devices within the online service; scoring each of the detection results based on how anomalous the respective behaviors are within the online service, wherein each of the detection results are scored based on a ratio between a subpopulation count and a population count for the respective behaviors within the online service; excluding one or more of the scored detection results having one or more of a subpopulation count and a population count for the respective behaviors below one or more of a subpopulation threshold and a population threshold, respectively; organizing a remaining one or more of the scored detection results according to scopes, wherein a given scope from the scopes is associated with a given device or a given user account within the online service; applying multi-signal detection logic to the given scope to produce a confidence score indicating whether the given scope is compromised; determining whether to alert an analyst of the given scope being compromised based on comparing the confidence score to an alert threshold; and in response to determining that the analyst is to be alerted of the given scope being compromised, generating and transmitting an alert. - View Dependent Claims (18, 19, 20)
-
Specification