Managing incident response operations based on monitored network activity

US 10,594,718 B1
Filed: 08/21/2018
Issued: 03/17/2020
Est. Priority Date: 08/21/2018
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more network computers perform the method comprising:

instantiating a monitoring engine to perform actions, including;

monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics;

generating a device relation model for representing direct and indirect relationships between the plurality of entities;

dynamically modifying the device relation model based on one or more priorities of the one or more direct and indirect relationships to one or more of the plurality of entities, wherein the one or more priorities are based on communication between the plurality of entities that are employed to generate one or more of a type or a weight for the one or more direct and indirect relationships; and

determining an anomaly based on the one or more metrics exceeding one or more threshold values; and

instantiating an inference engine that performs actions, including;

providing an anomaly profile from a plurality of anomaly profiles based on one or more portions of the network traffic that are associated with the anomaly and the device relationship model;

providing an investigation profile from a plurality of investigation profiles based on the anomaly profile, wherein the investigation profile includes a representation of one or more of classes, types or categorizations and information associated with one or more previously performed investigation activities and results associated with one or more previous investigations of the anomaly;

monitoring the investigation of the anomaly based on one or more other portions of the network traffic, wherein the one or more other portions of the network traffic are associated with monitoring an occurrence of the one or more investigation activities; and

modifying a performance score that is associated with the investigation profile based on the occurrence of the one or more investigation activities and a completion status of the investigation, wherein the performance score is decreased when one or more other investigation activities are included in the investigation or when one or more of the one or more investigation activities are omitted from the investigation of the anomaly.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to monitoring network traffic associated with networks to provide metrics. A monitoring engine may determine an anomaly based on the metrics exceeding threshold values. An inference engine may be instantiated to provide an anomaly profile based on portions of the network traffic that are associated with the anomaly. The inference engine may provide an investigation profile based on the anomaly profile such that the investigation profile includes information associated with investigation activities associated with an investigation of the anomaly. The inference engine may monitor the investigation of the anomaly based on other portions of the network traffic such that the other portions of the network traffic are associated with monitoring an occurrence of the investigation activities. The inference engine may modify a performance score associated with the investigation profile based on the occurrence of the investigation activities and a completion status of the investigation.

332 Citations

30 Claims

1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more network computers perform the method comprising:
- instantiating a monitoring engine to perform actions, including;
  
  monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics;
  
  generating a device relation model for representing direct and indirect relationships between the plurality of entities;
  
  dynamically modifying the device relation model based on one or more priorities of the one or more direct and indirect relationships to one or more of the plurality of entities, wherein the one or more priorities are based on communication between the plurality of entities that are employed to generate one or more of a type or a weight for the one or more direct and indirect relationships; and
  
  determining an anomaly based on the one or more metrics exceeding one or more threshold values; and
  
  instantiating an inference engine that performs actions, including;
  
  providing an anomaly profile from a plurality of anomaly profiles based on one or more portions of the network traffic that are associated with the anomaly and the device relationship model;
  
  providing an investigation profile from a plurality of investigation profiles based on the anomaly profile, wherein the investigation profile includes a representation of one or more of classes, types or categorizations and information associated with one or more previously performed investigation activities and results associated with one or more previous investigations of the anomaly;
  
  monitoring the investigation of the anomaly based on one or more other portions of the network traffic, wherein the one or more other portions of the network traffic are associated with monitoring an occurrence of the one or more investigation activities; and
  
  modifying a performance score that is associated with the investigation profile based on the occurrence of the one or more investigation activities and a completion status of the investigation, wherein the performance score is decreased when one or more other investigation activities are included in the investigation or when one or more of the one or more investigation activities are omitted from the investigation of the anomaly.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein providing the investigation profile, further comprises:
    - providing one or more investigation models that are trained to classify anomaly profiles;
      
      employing the one or more investigation models to classify the anomaly profile; and
      
      providing the investigation profile based on a classification of the anomaly profile.
  - 3. The method of claim 1, wherein the inference engine performs further actions, including:
    - providing network activity information that is associated with one or more previous occurrences of one or more anomalies;
      
      providing investigation activity information that is associated with previous investigations associated with one or more investigation profiles and the one or more anomalies; and
      
      evaluating the one or more investigation profiles based on the investigation activity information associated with previous investigations of the one or more anomalies, wherein the one or more investigation profiles are optimized based on the evaluation.
  - 4. The method of claim 1, wherein the inference engine performs further actions, including:
    - providing network activity information that is associated with one or more previous occurrences of one or more anomalies;
      
      providing investigation activity information and completion results that are associated with previous investigations associated with one or more investigation profiles and the one or more anomalies;
      
      training one or more investigation models to provide an investigation profile based on an input that includes an input anomaly profile, investigation activity information, and completion results; and
      
      re-training the one or more investigation models when a confidence score associated with the one or more investigation models is less than a threshold value.
  - 5. The method of claim 1, wherein the inference engine performs further actions, including:
    - providing a playbook that defines one or more actions for investigating the anomaly;
      
      comparing the occurrence of the one or more investigation activities with the one or more actions defined in the playbook to provide a deviation score, wherein the deviation score is associated with a number of the one or more actions that are not performed during the investigation; and
      
      evaluating an efficacy of the playbook based on the deviation score and the completion result associated with the investigation.
  - 6. The method of claim 1, wherein providing the anomaly profile further comprises:
    - providing one or more features associated with the anomaly based on the one or more portions of the network traffic that are associated with the anomaly;
      
      comparing the one or more features to one or more other features that are associated with the plurality of anomaly profiles; and
      
      generating the anomaly profile based on a negative result of the comparison, wherein the anomaly profile is generated based on the one or more features.
  - 7. The method of claim 1, wherein the inference engine performs further actions, including, generating the investigation profile based on the one or more other portions of the network traffic that are associated with the one or more investigation activities.
  - 8. The method of claim 1, wherein the inference engine performs further actions, including, providing one or more reports based on the investigation and the completion result, wherein the one or more reports are displayed to one or more users.

9. A processor readable non-transitory storage media that includes instructions for monitoring network traffic using one or more network monitoring computers, wherein execution of the instructions by the one or more network computers perform the method comprising:
- instantiating a monitoring engine to perform actions, including;
  
  monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics;
  
  generating a device relation model for representing direct and indirect relationships between the plurality of entities;
  
  dynamically modifying the device relation model based on one or more priorities of the one or more direct and indirect relationships to one or more of the plurality of entities, wherein the one or more priorities are based on communication between the plurality of entities that are employed to generate one or more of a type or a weight for the one or more direct and indirect relationships; and
  
  determining an anomaly based on the one or more metrics exceeding one or more threshold values; and
  
  instantiating an inference engine that performs actions, including;
  
  providing an anomaly profile from a plurality of anomaly profiles based on one or more portions of the network traffic that are associated with the anomaly and the device relationship model;
  
  providing an investigation profile from a plurality of investigation profiles based on the anomaly profile, wherein the investigation profile includes a representation of one or more of classes, types or categorizations and information associated with one or more previously performed investigation activities and results associated with one or more previous investigations of the anomaly;
  
  monitoring the investigation of the anomaly based on one or more other portions of the network traffic, wherein the one or more other portions of the network traffic are associated with monitoring an occurrence of the one or more investigation activities; and
  
  modifying a performance score that is associated with the investigation profile based on the occurrence of the one or more investigation activities and a completion status of the investigation, wherein the performance score is decreased when one or more other investigation activities are included in the investigation or when one or more of the one or more investigation activities are omitted from the investigation of the anomaly.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The media of claim 9, wherein providing the investigation profile, further comprises:
    - providing one or more investigation models that are trained to classify anomaly profiles;
      
      employing the one or more investigation models to classify the anomaly profile; and
      
      providing the investigation profile based on a classification of the anomaly profile.
  - 11. The media of claim 9, wherein the inference engine performs further actions, including:
    - providing network activity information that is associated with one or more previous occurrences of one or more anomalies;
      
      providing investigation activity information that is associated with previous investigations associated with one or more investigation profiles and the one or more anomalies; and
      
      evaluating the one or more investigation profiles based on the investigation activity information associated with previous investigations of the one or more anomalies, wherein the one or more investigation profiles are optimized based on the evaluation.
  - 12. The media of claim 9, wherein the inference engine performs further actions, including:
    - providing network activity information that is associated with one or more previous occurrences of one or more anomalies;
      
      providing investigation activity information and completion results that are associated with previous investigations associated with one or more investigation profiles and the one or more anomalies;
      
      training one or more investigation models to provide an investigation profile based on an input that includes an input anomaly profile, investigation activity information, and completion results; and
      
      re-training the one or more investigation models when a confidence score associated with the one or more investigation models is less than a threshold value.
  - 13. The media of claim 9, wherein the inference engine performs further actions, including:
    - providing a playbook that defines one or more actions for investigating the anomaly;
      
      comparing the occurrence of the one or more investigation activities with the one or more actions defined in the playbook to provide a deviation score, wherein the deviation score is associated with a number of the one or more actions that are not performed during the investigation; and
      
      evaluating an efficacy of the playbook based on the deviation score and the completion result associated with the investigation.
  - 14. The media of claim 9, wherein providing the anomaly profile further comprises:
    - providing one or more features associated with the anomaly based on the one or more portions of the network traffic that are associated with the anomaly;
      
      comparing the one or more features to one or more other features that are associated with the plurality of anomaly profiles; and
      
      generating the anomaly profile based on a negative result of the comparison, wherein the anomaly profile is generated based on the one or more features.
  - 15. The media of claim 9, wherein the inference engine performs further actions, including, generating the investigation profile based on the one or more other portions of the network traffic that are associated with the one or more investigation activities.
  - 16. The media of claim 9, wherein the inference engine performs further actions, including, providing one or more reports based on the investigation and the completion result, wherein the one or more reports are displayed to one or more users.

17. A system for monitoring network traffic in a network:
- one or more network computers, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  instantiating a monitoring engine to perform actions, including;
  
  monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics;
  
  generating a device relation model for representing direct and indirect relationships between the plurality of entities;
  
  dynamically modifying the device relation model based on one or more priorities of the one or more direct and indirect relationships to one or more of the plurality of entities, wherein the one or more priorities are based on communication between the plurality of entities that are employed to generate one or more of a type or a weight for the one or more direct and indirect relationships; and
  
  determining an anomaly based on the one or more metrics exceeding one or more threshold values; and
  
  instantiating an inference engine that performs actions, including;
  
  providing an anomaly profile from a plurality of anomaly profiles based on one or more portions of the network traffic that are associated with the anomaly and the device relationship model;
  
  providing an investigation profile from a plurality of investigation profiles based on the anomaly profile, wherein the investigation profile includes a representation of one or more of classes, types or categorizations and information associated with one or more previously performed investigation activities and results associated with one or more previous investigations of the anomaly;
  
  monitoring the investigation of the anomaly based on one or more other portions of the network traffic, wherein the one or more other portions of the network traffic are associated with monitoring an occurrence of the one or more investigation activities; and
  
  modifying a performance score that is associated with the investigation profile based on the occurrence of the one or more investigation activities and a completion status of the investigation, wherein the performance score is decreased when one or more other investigation activities are included in the investigation or when one or more of the one or more investigation activities are omitted from the investigation of the anomaly; and
  
  one or more client computers, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing one or more of the one or more portions of the network traffic.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The system of claim 17, wherein providing the investigation profile, further comprises:
    - providing one or more investigation models that are trained to classify anomaly profiles;
      
      employing the one or more investigation models to classify the anomaly profile; and
      
      providing the investigation profile based on a classification of the anomaly profile.
  - 19. The system of claim 17, wherein the inference engine performs further actions, including:
    - providing network activity information that is associated with one or more previous occurrences of one or more anomalies;
      
      providing investigation activity information that is associated with previous investigations associated with one or more investigation profiles and the one or more anomalies; and
      
      evaluating the one or more investigation profiles based on the investigation activity information associated with previous investigations of the one or more anomalies, wherein the one or more investigation profiles are optimized based on the evaluation.
  - 20. The system of claim 17, wherein the inference engine performs further actions, including:
    - providing network activity information that is associated with one or more previous occurrences of one or more anomalies;
      
      providing investigation activity information and completion results that are associated with previous investigations associated with one or more investigation profiles and the one or more anomalies;
      
      training one or more investigation models to provide an investigation profile based on an input that includes an input anomaly profile, investigation activity information, and completion results; and
      
      re-training the one or more investigation models when a confidence score associated with the one or more investigation models is less than a threshold value.
  - 21. The system of claim 17, wherein the inference engine performs further actions, including:
    - providing a playbook that defines one or more actions for investigating the anomaly;
      
      comparing the occurrence of the one or more investigation activities with the one or more actions defined in the playbook to provide a deviation score, wherein the deviation score is associated with a number of the one or more actions that are not performed during the investigation; and
      
      evaluating an efficacy of the playbook based on the deviation score and the completion result associated with the investigation.
  - 22. The system of claim 17, wherein providing the anomaly profile further comprises:
    - providing one or more features associated with the anomaly based on the one or more portions of the network traffic that are associated with the anomaly;
      
      comparing the one or more features to one or more other features that are associated with the plurality of anomaly profiles; and
      
      generating the anomaly profile based on a negative result of the comparison, wherein the anomaly profile is generated based on the one or more features.
  - 23. The system of claim 17, wherein the inference engine performs further actions, including, generating the investigation profile based on the one or more other portions of the network traffic that are associated with the one or more investigation activities.

24. A network computer for monitoring communication over a network between two or more computers, comprising:
- a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  instantiating a monitoring engine to perform actions, including;
  
  monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics;
  
  generating a device relation model for representing direct and indirect relationships between the plurality of entities;
  
  dynamically modifying the device relation model based on one or more priorities of the one or more direct and indirect relationships to one or more of the plurality of entities, wherein the one or more priorities are based on communication between the plurality of entities that are employed to generate one or more of a type or a weight for the one or more direct and indirect relationships; and
  
  determining an anomaly based on the one or more metrics exceeding one or more threshold values; and
  
  instantiating an inference engine that performs actions, including;
  
  providing an anomaly profile from a plurality of anomaly profiles based on one or more portions of the network traffic that are associated with the anomaly and the device relationship model;
  
  providing an investigation profile from a plurality of investigation profiles based on the anomaly profile, wherein the investigation profile includes a representation of one or more of classes, types or categorizations and information associated with one or more previously performed investigation activities and results associated with one or more previous investigations of the anomaly;
  
  monitoring the investigation of the anomaly based on one or more other portions of the network traffic, wherein the one or more other portions of the network traffic are associated with monitoring an occurrence of the one or more investigation activities; and
  
  modifying a performance score that is associated with the investigation profile based on the occurrence of the one or more investigation activities and a completion status of the investigation, wherein the performance score is decreased when one or more other investigation activities are included in the investigation or when one or more of the one or more investigation activities are omitted from the investigation of the anomaly.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The network computer of claim 24, wherein providing the investigation profile, further comprises:
    - providing one or more investigation models that are trained to classify anomaly profiles;
      
      employing the one or more investigation models to classify the anomaly profile; and
      
      providing the investigation profile based on a classification of the anomaly profile.
  - 26. The network computer of claim 24, wherein the inference engine performs further actions, including:
    - providing network activity information that is associated with one or more previous occurrences of one or more anomalies;
      
      providing investigation activity information that is associated with previous investigations associated with one or more investigation profiles and the one or more anomalies; and
      
      evaluating the one or more investigation profiles based on the investigation activity information associated with previous investigations of the one or more anomalies, wherein the one or more investigation profiles are optimized based on the evaluation.
  - 27. The network computer of claim 24, wherein the inference engine performs further actions, including:
    - providing network activity information that is associated with one or more previous occurrences of one or more anomalies;
      
      providing investigation activity information and completion results that are associated with previous investigations associated with one or more investigation profiles and the one or more anomalies;
      
      training one or more investigation models to provide an investigation profile based on an input that includes an input anomaly profile, investigation activity information, and completion results; and
      
      re-training the one or more investigation models when a confidence score associated with the one or more investigation models is less than a threshold value.
  - 28. The network computer of claim 24, wherein the inference engine performs further actions, including:
    - providing a playbook that defines one or more actions for investigating the anomaly;
      
      comparing the occurrence of the one or more investigation activities with the one or more actions defined in the playbook to provide a deviation score, wherein the deviation score is associated with a number of the one or more actions that are not performed during the investigation; and
      
      evaluating an efficacy of the playbook based on the deviation score and the completion result associated with the investigation.
  - 29. The network computer of claim 24, wherein providing the anomaly profile further comprises:
    - providing one or more features associated with the anomaly based on the one or more portions of the network traffic that are associated with the anomaly;
      
      comparing the one or more features to one or more other features that are associated with the plurality of anomaly profiles; and
      
      generating the anomaly profile based on a negative result of the comparison, wherein the anomaly profile is generated based on the one or more features.
  - 30. The network computer of claim 24, wherein the inference engine performs further actions, including, generating the investigation profile based on the one or more other portions of the network traffic that are associated with the one or more investigation activities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Deaguero, Joel Benjamin, Driggs, Edmund Hope, Wu, Xue Jun, Braun, Nicholas Jordan, Montague, Michael Kerber Krause, Kelly, Michael Christopher
Primary Examiner(s)
Gracia, Gary S

Application Number

US16/107,509
Publication Number

US 20200067952A1
Time in Patent Office

574 Days
Field of Search

726 22, 726 23, 726 25
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06N 20/00   Machine learning

G06N 5/04   Inference or reasoning models

H04L 41/0645   by additionally acting on o...

H04L 41/14   Network analysis or design

H04L 41/142   using statistical or mathem...

H04L 41/145   involving simulating, desig...

H04L 41/40   using virtualisation of net...

H04L 41/5009   Determining service level p...

H04L 43/045   for graphical visualisation...

H04L 43/062   related to network traffic

H04L 43/08   Monitoring or testing based...

H04L 43/16   Threshold monitoring

H04L 43/20   the monitoring system or th...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/30   Profiles

Managing incident response operations based on monitored network activity

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

332 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Managing incident response operations based on monitored network activity

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

332 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links