Forensic analysis of computing activity
First Claim
1. A computer program product for forensic analysis for computer processes, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on a computing device, performs the steps of:
- instrumenting a first endpoint to record a sequence of events causally relating computing objects, and to preserve events in the sequence of events for a predetermined time window, the predetermined time window having a longer duration for a first type of the computing objects than for a second type of the computing objects;
detecting a security event associated with one of the computing objects;
in response to detecting the security event, traversing an event graph based on the sequence of events in a reverse order from the one of the computing objects associated with the security event to one or more preceding ones of the computing objects;
while traversing the event graph in the reverse order, identifying one of the computing objects as a cause of the security event; and
traversing the event graph forward from the cause of the security event to identify one or more other ones of the computing objects affected by the cause.
4 Assignments
0 Petitions
Accused Products
Abstract
A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files. When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects. For a root cause analysis, the event graph may be traversed in a reverse order from the point of an identified security event (e.g., a malware detection event) to preceding computing objects, while applying one or more cause identification rules to identify a root cause of the security event. Once a root cause is identified, the event graph may be traversed forward from the root cause to identify other computing objects that are potentially compromised by the root cause.
-
Citations
19 Claims
-
1. A computer program product for forensic analysis for computer processes, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on a computing device, performs the steps of:
-
instrumenting a first endpoint to record a sequence of events causally relating computing objects, and to preserve events in the sequence of events for a predetermined time window, the predetermined time window having a longer duration for a first type of the computing objects than for a second type of the computing objects; detecting a security event associated with one of the computing objects; in response to detecting the security event, traversing an event graph based on the sequence of events in a reverse order from the one of the computing objects associated with the security event to one or more preceding ones of the computing objects; while traversing the event graph in the reverse order, identifying one of the computing objects as a cause of the security event; and traversing the event graph forward from the cause of the security event to identify one or more other ones of the computing objects affected by the cause.
-
-
2. A method for forensic analysis for computer processes, the method comprising:
-
instrumenting a first endpoint to record a sequence of events causally relating computing objects, and to preserve events in the sequence of events for a predetermined time window, the predetermined time window having a longer duration for one type of the computing objects than for a second type of the computing objects; detecting a security event associated with one of the computing objects; in response to detecting the security event, traversing an event graph based on the sequence of events in a reverse order from the one of the computing objects associated with the security event to one or more preceding ones of the computing objects; while traversing the event graph in the reverse order, identifying one of the computing objects as a cause of the security event; traversing the event graph forward from the cause of the security event to identify one or more other ones of the computing objects affected by the cause; and remediating one or more of the identified computing objects. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system for forensic analysis for computer processes comprising:
-
a first endpoint; a data recorder instrumented to record a sequence of events causally relating computing objects, and to preserve events in the sequence of events for a predetermined time window, the predetermined time window having a longer duration for a first type of the computing objects than for a second type of the computing objects; and a processor and a memory disposed on the first endpoint or in communication with the first endpoint, the memory bearing computer code that, when executing on the processor, performs the steps of; detecting a security event associated with one of the computing objects; in response to detecting the security event, traversing an event graph based on the sequence of events in a reverse order from the one of the computing objects associated with the security event to one or more preceding ones of the computing objects; while traversing the event graph in the reverse order, identifying one of the computing objects as a cause of the security event; traversing the event graph forward from the cause of the security event to identify one or more other ones of the computing objects affected by the cause; examining the identified computing objects affected by the cause; and remediating compromised examined computing objects.
-
Specification