Detecting malicious lateral movement across a computer network
First Claim
1. A method for detecting malicious computers in a computer network, the method comprising:
- generating a graph representing the computer network, the graph comprising nodes that represent computers and user accounts, and edges that represent computer connections and user logon events;
determining a weight of each of the edges in the graph;
determining a path-rate score for a plurality of paths in the graph using the weight of each of the edges;
filtering from the plurality of paths in the graph a time-excluded set of one or more paths that does not meet one or more time constraints;
ranking a ranked set of the plurality of paths based on the path-rate score for each path in the ranked set of the plurality of paths; and
identifying the malicious computers in the computer network based at least in part on the ranking and based at least in part on the filtering out of the time-excluded set of one or more paths.
1 Assignment
0 Petitions
Accused Products
Abstract
Graph-based detection systems and techniques are provided to identify potential malicious lateral movement paths. System and security events may be used to generate a network connection graph and detect remote file executions and/or other detections, for use in tracking malicious lateral movement across a computer network, such as a compromised computer network. Lateral movement determination across a computer network may be divided into two subproblems: forensic analysis and general detection. With forensic analysis, given a malicious node, possible lateral movement leading into or out of the node is identified. General detection identifies previously unknown malicious lateral movement on a network using a remote file execution detector, and/or other detectors, and a rare path anomaly detection algorithm.
24 Citations
20 Claims
-
1. A method for detecting malicious computers in a computer network, the method comprising:
-
generating a graph representing the computer network, the graph comprising nodes that represent computers and user accounts, and edges that represent computer connections and user logon events; determining a weight of each of the edges in the graph; determining a path-rate score for a plurality of paths in the graph using the weight of each of the edges; filtering from the plurality of paths in the graph a time-excluded set of one or more paths that does not meet one or more time constraints; ranking a ranked set of the plurality of paths based on the path-rate score for each path in the ranked set of the plurality of paths; and identifying the malicious computers in the computer network based at least in part on the ranking and based at least in part on the filtering out of the time-excluded set of one or more paths. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer system for detecting malicious computers in a computer network, the computer system comprising the following computer components:
-
a remote file execution detector configured to detect at least one remote file execution event; a network graph construction module configured to generate a graph representing the computer network, the graph comprising nodes that represent computers and user accounts, and edges that represent computer connections and user logon events; a path-rate score module configured to determine a path-rate score for a plurality of paths in the graph; a general detection module configured to process the graph using the at least one remote file execution event and the path-rate score; a forensic analysis module configured to process the graph using a compromised computer and account list and the path-rate score; and a ranking module configured to rank the plurality of paths based on at least one of a result from the general detection module or a result from the forensic analysis module, and output results of the ranking, wherein each of the computer components is embodied in hardware in the computer system. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A method for detecting malicious computers in a computer network, the method comprising:
-
receiving, at a forensic analysis module of a computing device, an identification of a compromised node on a network connection graph corresponding to the computer network, the identification of the compromised node indicating that a computer or account on the computer network indicated by the compromised node is malicious; receiving, at the forensic analysis module of the computing device, a path-rate score for a plurality of paths in the network connection graph, each of the plurality of paths comprising the compromised node and at least one other node of the network connection graph; and identifying, at the forensic analysis module of the computing device, lateral movement on the computer network using the identification of the compromised node and the path-rate score for the plurality of paths in the network connection graph. - View Dependent Claims (18, 19, 20)
-
Specification