Using graph-based models to identify datacenter anomalies

US 10,581,891 B1
Filed: 09/18/2018
Issued: 03/03/2020
Est. Priority Date: 11/27/2017
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

monitor activities within a network environment and generate a graph of physical connection information, wherein generating the graph of physical connection information includes matching information provided by a client and a server, respectively, into an established connection between the client and the server;

use at least a portion of the generated graph of physical connection information to generate a multidimensional logical graph model, wherein the multidimensional logical graph model comprises a set of nodes and a set of edges, wherein a first node included in the set of nodes corresponds to an entity of a first type and wherein a second node included in the set of nodes corresponds to an entity of a second type that is different from the first type, wherein an edge connects the first node and the second node, wherein a first edge between the first node and the second node has a first edge type and a second edge between the second node and a third node has a second edge type that is different from the first edge type, wherein the first edge type indicates a first behavioral relationship between arbitrary nodes interconnected by the first edge type, and wherein the second edge type indicates a different behavioral relationship between arbitrary nodes interconnected by the second edge type;

determine, using the generated multidimensional logical graph model, that a new edge has been added to the set of edges; and

in response to determining that the new edge has been added to the set of edges, automatically generate an alert that an anomaly in the network environment associated with the new edge has occurred; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Activities within a network environment are monitored (e.g., using agents). At least a portion of the monitored activities are used to generate a logical graph model. The generated logical graph model is used to determine an anomaly. The detected anomaly is recorded and can be used to generate an alert.

Citations

31 Claims

1. A system, comprising:
- a processor configured to;
  
  monitor activities within a network environment and generate a graph of physical connection information, wherein generating the graph of physical connection information includes matching information provided by a client and a server, respectively, into an established connection between the client and the server;
  
  use at least a portion of the generated graph of physical connection information to generate a multidimensional logical graph model, wherein the multidimensional logical graph model comprises a set of nodes and a set of edges, wherein a first node included in the set of nodes corresponds to an entity of a first type and wherein a second node included in the set of nodes corresponds to an entity of a second type that is different from the first type, wherein an edge connects the first node and the second node, wherein a first edge between the first node and the second node has a first edge type and a second edge between the second node and a third node has a second edge type that is different from the first edge type, wherein the first edge type indicates a first behavioral relationship between arbitrary nodes interconnected by the first edge type, and wherein the second edge type indicates a different behavioral relationship between arbitrary nodes interconnected by the second edge type;
  
  determine, using the generated multidimensional logical graph model, that a new edge has been added to the set of edges; and
  
  in response to determining that the new edge has been added to the set of edges, automatically generate an alert that an anomaly in the network environment associated with the new edge has occurred; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1 wherein the generated multidimensional logical graph model represents a baseline of behavior of nodes included in the network environment.
  - 3. The system of claim 2 wherein using the multidimensional logical graph model to detect the anomaly includes comparing a current graph associated with the network environment against the baseline.
  - 4. The system of claim 1 wherein the network environment comprises a datacenter.
  - 5. The system of claim 1 wherein the detected anomaly is associated with identifying a security threat.
  - 6. The system of claim 1 wherein the multidimensional logical graph model is generated at least in part by performing matching neighbors clustering on a graph.
  - 7. The system of claim 6 wherein the graph comprises process information.
  - 8. The system of claim 1 wherein the multidimensional logical graph model is generated at least in part by performing similarity ranking on a graph.
  - 9. The system of claim 8 wherein the graph comprises process information.
  - 10. The system of claim 1 wherein the multidimensional logical graph model is generated at least in part by performing a split on a graph.
  - 11. The system of claim 10 wherein the graph comprises process information.
  - 12. The system of claim 10 wherein the split is based at least in part on an application type.
  - 13. The system of claim 1 wherein the processor is further configured to determine whether a process matches a predetermined application type included in a set of predetermined application types.
  - 14. The system of claim 13 wherein the processor is further configured to generate an alert in response to determining that the process does not match any members of the set of predetermined application types.
  - 15. The system of claim 1 wherein detecting the anomaly includes detecting a new node in the multidimensional logical graph model.

16. A method, comprising:
- monitoring activities within a network environment and generating a graph of physical connection information, wherein generating the graph of physical connection information includes matching information provided by a client and a server, respectively, into an established connection between the client and the server;
  
  using at least a portion of the generated graph of physical connection information to generate a multidimensional logical graph model, wherein the multidimensional logical graph model comprises a set of nodes and a set of edges, wherein a first node included in the set of nodes corresponds to an entity of a first type and wherein a second node included in the set of nodes corresponds to an entity of a second type that is different from the first type, wherein an edge connects the first node and the second node, wherein a first edge between the first node and the second node has a first edge type and a second edge between the second node and a third node has a second edge type that is different from the first edge type, wherein the first edge type indicates a first behavioral relationship between arbitrary nodes interconnected by the first edge type, and wherein the second edge type indicates a different behavioral relationship between arbitrary nodes interconnected by the second edge type;
  
  determining, using the generated multidimensional logical graph model, that a new edge has been added to the set of edges; and
  
  in response to determining that the new edge has been added to the set of edges, automatically generating an alert that an anomaly in the network environment associated with the new edge has occurred.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The method of claim 16 wherein the generated multidimensional logical graph model represents a baseline of behavior of nodes included in the network environment.
  - 18. The method of claim 17 wherein using the multidimensional logical graph model to detect the anomaly includes comparing a current graph associated with the network environment against the baseline.
  - 19. The method of claim 16 wherein the network environment comprises a datacenter.
  - 20. The method of claim 16 wherein the detected anomaly is associated with identifying a security threat.
  - 21. The method of claim 16 wherein the multidimensional logical graph model is generated at least in part by performing matching neighbors clustering on a graph.
  - 22. The method of claim 21 wherein the graph comprises process information.
  - 23. The method of claim 16 wherein the multidimensional logical graph model is generated at least in part by performing similarity ranking on a graph.
  - 24. The method of claim 23 wherein the graph comprises process information.
  - 25. The method of claim 16 wherein the multidimensional logical graph model is generated at least in part by performing a split on a graph.
  - 26. The method of claim 25 wherein the graph comprises process information.
  - 27. The method of claim 25 wherein the split is based at least in part on an application type.
  - 28. The method of claim 16 further comprising determining whether a process matches a predetermined application type included in a set of predetermined application types.
  - 29. The method of claim 28 further comprising generating an alert in response to determining that the process does not match any members of the set of predetermined application types.
  - 30. The method of claim 16 wherein detecting the anomaly includes detecting a new node in the multidimensional logical graph model.

31. A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- monitoring activities within a network environment and generating a graph of physical connection information, wherein generating the graph of physical connection information includes matching information provided by a client and a server, respectively, into an established connection between the client and the server;
  
  using at least a portion of the generated graph of physical connection information to generate a multidimensional logical graph model, wherein the multidimensional logical graph model comprises a set of nodes and a set of edges, wherein a first node included in the set of nodes corresponds to an entity of a first type and wherein a second node included in the set of nodes corresponds to an entity of a second type that is different from the first type, wherein an edge connects the first node and the second node, wherein a first edge between the first node and the second node has a first edge type and a second edge between the second node and a third node has a second edge type that is different from the first edge type, wherein the first edge type indicates a first behavioral relationship between arbitrary nodes interconnected by the first edge type, and wherein the second edge type indicates a different behavioral relationship between arbitrary nodes interconnected by the second edge type;
  
  determining, using the generated multidimensional logical graph model, that a new edge has been added to the set of edges; and
  
  in response to determining that the new edge has been added to the set of edges, automatically generating an alert that an anomaly in the network environment associated with the new edge has occurred.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lacework Inc.
Original Assignee
Lacework Inc.
Inventors
Kapoor, Vikram, Pullara, III, Samuel Joseph, Bog, Murat, Chen, Yijou, Kalra, Sanjay
Primary Examiner(s)
Boutah, Alina A

Application Number

US16/134,794
Time in Patent Office

532 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2456   Join operations

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 16/9038   Presentation of query results

G06F 16/9535   Search customisation based ...

G06F 16/9537   Spatial or temporal depende...

G06F 21/57   Certifying or maintaining t...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/545   where tasks reside in diffe...

H04L 43/045   for graphical visualisation...

H04L 43/06   Generation of reports

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/306   User profiles

H04L 67/535   Tracking the activity of th...

Using graph-based models to identify datacenter anomalies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Using graph-based models to identify datacenter anomalies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links