Detecting malicious lateral movement across a computer network

US 10,505,954 B2
Filed: 06/14/2017
Issued: 12/10/2019
Est. Priority Date: 06/14/2017
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious computers in a computer network, the method comprising:

generating a graph representing the computer network, the graph comprising nodes that represent computers and user accounts, and edges that represent computer connections and user logon events;

determining a weight of each of the edges in the graph;

determining a path-rate score for a plurality of paths in the graph using the weight of each of the edges;

filtering from the plurality of paths in the graph a time-excluded set of one or more paths that does not meet one or more time constraints;

ranking a ranked set of the plurality of paths based on the path-rate score for each path in the ranked set of the plurality of paths; and

identifying the malicious computers in the computer network based at least in part on the ranking and based at least in part on the filtering out of the time-excluded set of one or more paths.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Graph-based detection systems and techniques are provided to identify potential malicious lateral movement paths. System and security events may be used to generate a network connection graph and detect remote file executions and/or other detections, for use in tracking malicious lateral movement across a computer network, such as a compromised computer network. Lateral movement determination across a computer network may be divided into two subproblems: forensic analysis and general detection. With forensic analysis, given a malicious node, possible lateral movement leading into or out of the node is identified. General detection identifies previously unknown malicious lateral movement on a network using a remote file execution detector, and/or other detectors, and a rare path anomaly detection algorithm.

24 Citations

View as Search Results

20 Claims

1. A method for detecting malicious computers in a computer network, the method comprising:
- generating a graph representing the computer network, the graph comprising nodes that represent computers and user accounts, and edges that represent computer connections and user logon events;
  
  determining a weight of each of the edges in the graph;
  
  determining a path-rate score for a plurality of paths in the graph using the weight of each of the edges;
  
  filtering from the plurality of paths in the graph a time-excluded set of one or more paths that does not meet one or more time constraints;
  
  ranking a ranked set of the plurality of paths based on the path-rate score for each path in the ranked set of the plurality of paths; and
  
  identifying the malicious computers in the computer network based at least in part on the ranking and based at least in part on the filtering out of the time-excluded set of one or more paths.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising filtering a plurality of the nodes from the graph, prior to determining the path-rate score for the ranked set of the plurality of paths in the graph.
  - 3. The method of claim 2, further comprising filtering at least one of the plurality of the paths from the graph prior to determining the path-rate score.
  - 4. The method of claim 1, wherein determining the path-rate score for the ranked set of the plurality of paths in the graph comprises computing the path-rate score for each path along a rare path in the graph.
  - 5. The method of claim 1, wherein the filtering the time-excluded set of one or more paths from the plurality of paths in the graph comprises eliminating one or more infeasible paths from the graph based on determining that timestamps of each of the one or more infeasible paths indicate one or more infeasible sequences of edges in each of the one or more infeasible paths.
  - 6. The method of claim 1, wherein the one or more time constraints comprises a threshold amount of time, and wherein the filtering the time-excluded set of one or more paths from the plurality of paths in the graph comprises filtering one or more paths outside the threshold amount of time.
  - 7. The method of claim 1, further comprising disabling the identified malicious computers.
  - 8. The method of claim 1, further comprising identifying a malicious user account in the computer network based at least in part on the ranking, and disabling the malicious user account.
  - 9. The method of claim 1, wherein the plurality of paths comprise 1-hop paths and 2-hop paths.
  - 10. The method of claim 1, further comprising performing forensic analysis on the graph, wherein ranking the ranked set of the plurality of paths is further based on a result of the forensic analysis.
  - 11. The method of claim 1, further comprising performing general detection on the graph, wherein ranking the ranked set of the plurality of paths is further based on a result of the general detection.

12. A computer system for detecting malicious computers in a computer network, the computer system comprising the following computer components:
- a remote file execution detector configured to detect at least one remote file execution event;
  
  a network graph construction module configured to generate a graph representing the computer network, the graph comprising nodes that represent computers and user accounts, and edges that represent computer connections and user logon events;
  
  a path-rate score module configured to determine a path-rate score for a plurality of paths in the graph;
  
  a general detection module configured to process the graph using the at least one remote file execution event and the path-rate score;
  
  a forensic analysis module configured to process the graph using a compromised computer and account list and the path-rate score; and
  
  a ranking module configured to rank the plurality of paths based on at least one of a result from the general detection module or a result from the forensic analysis module, and output results of the ranking, wherein each of the computer components is embodied in hardware in the computer system.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system of claim 12, further comprising an automatic account disabling module configured to disable at least one of a malicious computer or a malicious user account responsive to the results of the ranking.
  - 14. The system of claim 12, wherein the remote file execution detector is configured to detect the least one remote file execution event from at least one computing device of the computer network.
  - 15. The system of claim 12, wherein the ranking module is configured to identify at least one of a malicious computer or a malicious user account in the computer network based on the ranking.
  - 16. The system of claim 12, wherein the plurality of paths comprises 1-hop paths and 2-hop paths.

17. A method for detecting malicious computers in a computer network, the method comprising:
- receiving, at a forensic analysis module of a computing device, an identification of a compromised node on a network connection graph corresponding to the computer network, the identification of the compromised node indicating that a computer or account on the computer network indicated by the compromised node is malicious;
  
  receiving, at the forensic analysis module of the computing device, a path-rate score for a plurality of paths in the network connection graph, each of the plurality of paths comprising the compromised node and at least one other node of the network connection graph; and
  
  identifying, at the forensic analysis module of the computing device, lateral movement on the computer network using the identification of the compromised node and the path-rate score for the plurality of paths in the network connection graph.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein identifying lateral movement comprises identifying lateral movement into the compromised node.
  - 19. The method of claim 17, wherein identifying lateral movement comprises identifying lateral movement out of the compromised node.
  - 20. The method of claim 17, wherein identifying lateral movement comprises using 1-hop connections with the compromised node and using 2-hop connections with the compromised node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Stokes, III, Jack Wilson, Mead, Robert James, Burrell, Tim William, Hellen, Ian, Lambert, John Joseph, Cui, Weidong, Marochko, Andrey, Liu, Qingyun
Primary Examiner(s)
Moorthy, Aravind K

Application Number

US15/622,326
Publication Number

US 20180367548A1
Time in Patent Office

909 Days
Field of Search

726 23, 726 25, 713188
US Class Current
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 43/045   for graphical visualisation...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

H04L 67/10   in which an application is ...

Detecting malicious lateral movement across a computer network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting malicious lateral movement across a computer network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links