Computer threat analysis service
First Claim
Patent Images
1. A computer-implemented method, comprising:
- collecting diagnostic information from a plurality of customer computing resources;
generating event records from the diagnostic information, each event record describing a set of attributes of a corresponding event produced by a customer computing resource;
generating a graph of correlated event records where individual event records are represented by individual nodes of the graph and each edge of the graph links a pair of event records by a matching attribute;
using the graph to identify a link between event records associated with different customer computing resources of different service types; and
detecting a security event in the plurality of computing resources based at least in part on the link between the event records.
1 Assignment
0 Petitions
Accused Products
Abstract
A system acquires diagnostic information from event logs, trace files, and other diagnostic sources to reduce a set of event records. The event records are arranged in a graph based on correlations between individual event records. Correlations may be based on time, account, credentials, tags, instance identifiers, or other characteristics. The system analyzes the graph to identify anomalies such as data exfiltration anomalies, system compromises, or security events. In some implementations, the system deploys decoy resources within a customer computing environment. Interactions with the decoy resources are captured as event records and added to the graph.
56 Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
collecting diagnostic information from a plurality of customer computing resources; generating event records from the diagnostic information, each event record describing a set of attributes of a corresponding event produced by a customer computing resource; generating a graph of correlated event records where individual event records are represented by individual nodes of the graph and each edge of the graph links a pair of event records by a matching attribute; using the graph to identify a link between event records associated with different customer computing resources of different service types; and detecting a security event in the plurality of computing resources based at least in part on the link between the event records. - View Dependent Claims (2, 3, 4)
-
-
5. A system, comprising:
-
one or more processors; and memory storing computer-executable instructions that, if executed by the one or more processors, cause the system to; generate a graph of event records, the event records describing events in a computing system, individual event records represented by individual nodes of the graph, and each edge of the graph links a pair of event records by a matching attribute; identify a path between a pair of records in the graph, the path including one or more links in the graph, the pair of records associated with events produced by different service types; identify an anomaly in operation of the computing system based at least in part on the path between the pair of records in the graph; and indicate the anomaly. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium storing executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
-
generate a graph of event records, the event records describing events in a customer computer system, the graph including links between event records with a matching characteristic; identify a correlation between a first record in the graph and a second record in the graph, the correlation represented by a set of links in the graph, the first record and the second record associated with events produced by different service types; and identify an anomaly in operation of the customer computer system based at least in part on the correlation. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification