Managing incident response operations based on monitored network activity
First Claim
1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more network computers perform the method comprising:
- instantiating a monitoring engine to perform actions, including;
monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics;
generating a device relation model for representing direct and indirect relationships between the plurality of entities;
dynamically modifying the device relation model based on one or more priorities of the one or more direct and indirect relationships to one or more of the plurality of entities, wherein the one or more priorities are based on communication between the plurality of entities that are employed to generate one or more of a type or a weight for the one or more direct and indirect relationships; and
determining an anomaly based on the one or more metrics exceeding one or more threshold values; and
instantiating an inference engine that performs actions, including;
providing an anomaly profile from a plurality of anomaly profiles based on one or more portions of the network traffic that are associated with the anomaly and the device relationship model;
providing an investigation profile from a plurality of investigation profiles based on the anomaly profile, wherein the investigation profile includes a representation of one or more of classes, types or categorizations and information associated with one or more previously performed investigation activities and results associated with one or more previous investigations of the anomaly;
monitoring the investigation of the anomaly based on one or more other portions of the network traffic, wherein the one or more other portions of the network traffic are associated with monitoring an occurrence of the one or more investigation activities; and
modifying a performance score that is associated with the investigation profile based on the occurrence of the one or more investigation activities and a completion status of the investigation, wherein the performance score is decreased when one or more other investigation activities are included in the investigation or when one or more of the one or more investigation activities are omitted from the investigation of the anomaly.
6 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are directed to monitoring network traffic associated with networks to provide metrics. A monitoring engine may determine an anomaly based on the metrics exceeding threshold values. An inference engine may be instantiated to provide an anomaly profile based on portions of the network traffic that are associated with the anomaly. The inference engine may provide an investigation profile based on the anomaly profile such that the investigation profile includes information associated with investigation activities associated with an investigation of the anomaly. The inference engine may monitor the investigation of the anomaly based on other portions of the network traffic such that the other portions of the network traffic are associated with monitoring an occurrence of the investigation activities. The inference engine may modify a performance score associated with the investigation profile based on the occurrence of the investigation activities and a completion status of the investigation.
332 Citations
30 Claims
-
1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more network computers perform the method comprising:
-
instantiating a monitoring engine to perform actions, including; monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics; generating a device relation model for representing direct and indirect relationships between the plurality of entities; dynamically modifying the device relation model based on one or more priorities of the one or more direct and indirect relationships to one or more of the plurality of entities, wherein the one or more priorities are based on communication between the plurality of entities that are employed to generate one or more of a type or a weight for the one or more direct and indirect relationships; and determining an anomaly based on the one or more metrics exceeding one or more threshold values; and instantiating an inference engine that performs actions, including; providing an anomaly profile from a plurality of anomaly profiles based on one or more portions of the network traffic that are associated with the anomaly and the device relationship model; providing an investigation profile from a plurality of investigation profiles based on the anomaly profile, wherein the investigation profile includes a representation of one or more of classes, types or categorizations and information associated with one or more previously performed investigation activities and results associated with one or more previous investigations of the anomaly; monitoring the investigation of the anomaly based on one or more other portions of the network traffic, wherein the one or more other portions of the network traffic are associated with monitoring an occurrence of the one or more investigation activities; and modifying a performance score that is associated with the investigation profile based on the occurrence of the one or more investigation activities and a completion status of the investigation, wherein the performance score is decreased when one or more other investigation activities are included in the investigation or when one or more of the one or more investigation activities are omitted from the investigation of the anomaly. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A processor readable non-transitory storage media that includes instructions for monitoring network traffic using one or more network monitoring computers, wherein execution of the instructions by the one or more network computers perform the method comprising:
-
instantiating a monitoring engine to perform actions, including; monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics; generating a device relation model for representing direct and indirect relationships between the plurality of entities; dynamically modifying the device relation model based on one or more priorities of the one or more direct and indirect relationships to one or more of the plurality of entities, wherein the one or more priorities are based on communication between the plurality of entities that are employed to generate one or more of a type or a weight for the one or more direct and indirect relationships; and determining an anomaly based on the one or more metrics exceeding one or more threshold values; and instantiating an inference engine that performs actions, including; providing an anomaly profile from a plurality of anomaly profiles based on one or more portions of the network traffic that are associated with the anomaly and the device relationship model; providing an investigation profile from a plurality of investigation profiles based on the anomaly profile, wherein the investigation profile includes a representation of one or more of classes, types or categorizations and information associated with one or more previously performed investigation activities and results associated with one or more previous investigations of the anomaly; monitoring the investigation of the anomaly based on one or more other portions of the network traffic, wherein the one or more other portions of the network traffic are associated with monitoring an occurrence of the one or more investigation activities; and modifying a performance score that is associated with the investigation profile based on the occurrence of the one or more investigation activities and a completion status of the investigation, wherein the performance score is decreased when one or more other investigation activities are included in the investigation or when one or more of the one or more investigation activities are omitted from the investigation of the anomaly. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A system for monitoring network traffic in a network:
-
one or more network computers, comprising; a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; instantiating a monitoring engine to perform actions, including; monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics; generating a device relation model for representing direct and indirect relationships between the plurality of entities; dynamically modifying the device relation model based on one or more priorities of the one or more direct and indirect relationships to one or more of the plurality of entities, wherein the one or more priorities are based on communication between the plurality of entities that are employed to generate one or more of a type or a weight for the one or more direct and indirect relationships; and determining an anomaly based on the one or more metrics exceeding one or more threshold values; and instantiating an inference engine that performs actions, including; providing an anomaly profile from a plurality of anomaly profiles based on one or more portions of the network traffic that are associated with the anomaly and the device relationship model; providing an investigation profile from a plurality of investigation profiles based on the anomaly profile, wherein the investigation profile includes a representation of one or more of classes, types or categorizations and information associated with one or more previously performed investigation activities and results associated with one or more previous investigations of the anomaly; monitoring the investigation of the anomaly based on one or more other portions of the network traffic, wherein the one or more other portions of the network traffic are associated with monitoring an occurrence of the one or more investigation activities; and modifying a performance score that is associated with the investigation profile based on the occurrence of the one or more investigation activities and a completion status of the investigation, wherein the performance score is decreased when one or more other investigation activities are included in the investigation or when one or more of the one or more investigation activities are omitted from the investigation of the anomaly; and one or more client computers, comprising; a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; providing one or more of the one or more portions of the network traffic. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
-
24. A network computer for monitoring communication over a network between two or more computers, comprising:
-
a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; instantiating a monitoring engine to perform actions, including; monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics; generating a device relation model for representing direct and indirect relationships between the plurality of entities; dynamically modifying the device relation model based on one or more priorities of the one or more direct and indirect relationships to one or more of the plurality of entities, wherein the one or more priorities are based on communication between the plurality of entities that are employed to generate one or more of a type or a weight for the one or more direct and indirect relationships; and determining an anomaly based on the one or more metrics exceeding one or more threshold values; and instantiating an inference engine that performs actions, including; providing an anomaly profile from a plurality of anomaly profiles based on one or more portions of the network traffic that are associated with the anomaly and the device relationship model; providing an investigation profile from a plurality of investigation profiles based on the anomaly profile, wherein the investigation profile includes a representation of one or more of classes, types or categorizations and information associated with one or more previously performed investigation activities and results associated with one or more previous investigations of the anomaly; monitoring the investigation of the anomaly based on one or more other portions of the network traffic, wherein the one or more other portions of the network traffic are associated with monitoring an occurrence of the one or more investigation activities; and modifying a performance score that is associated with the investigation profile based on the occurrence of the one or more investigation activities and a completion status of the investigation, wherein the performance score is decreased when one or more other investigation activities are included in the investigation or when one or more of the one or more investigation activities are omitted from the investigation of the anomaly. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
Specification