Graph-based network anomaly detection across time and entities
First Claim
1. A method comprising:
- accessing a relationship graph having entities as nodes, and relationships among the nodes as links, the relationship graph reflecting a batch of events that occurred during a time range;
assigning the nodes in the relationship graph to groups based on event timestamps, each group including nodes associated with activities that occurred in a corresponding time unit;
constructing links for nodes across different groups, wherein a link representing a relationship is established based on a respective activity recorded in the batch of events, each chain of linked nodes forming a component;
computing a total interest score for the formed component, wherein the total interest score reflects a totality of interest generated from all nodes attached to a given link; and
identifying a component for further security scrutiny based on the total interest score.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosed techniques relate to a graph-based network security analytic framework to combine multiple sources of information and security knowledge in order to detect risky behaviors and potential threats. In some examples, the input can be anomaly events or simply regular events. The entities associated with the activities can be grouped into smaller time units, e.g., per day. The riskiest days of activity can be found by computing a risk score for each day and according to the features in the day. A graph can be built with links between the time units. The links can also receive scoring based on a number of factors. The resulting graph can be compared with known security knowledge for adjustments. Threats can be detected based on the adjusted risk score for a component (i.e., a group of linked entities) as well as a number of other factors.
-
Citations
30 Claims
-
1. A method comprising:
-
accessing a relationship graph having entities as nodes, and relationships among the nodes as links, the relationship graph reflecting a batch of events that occurred during a time range; assigning the nodes in the relationship graph to groups based on event timestamps, each group including nodes associated with activities that occurred in a corresponding time unit; constructing links for nodes across different groups, wherein a link representing a relationship is established based on a respective activity recorded in the batch of events, each chain of linked nodes forming a component; computing a total interest score for the formed component, wherein the total interest score reflects a totality of interest generated from all nodes attached to a given link; and identifying a component for further security scrutiny based on the total interest score. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A computer system comprising:
-
a processor; and a communication device, operatively coupled to the processor, through which to receive first event data indicative of computer network activity of an entity that is part of or interacts with a computer network and second event data indicative of additional computer network activity associated with the entity; wherein the processor is configured to perform steps including; accessing a relationship graph having entities as nodes, and relationships among the nodes as links, the relationship graph reflecting a batch of events that occurred during a time range; assigning the nodes in the relationship graph to groups based on event timestamps, each group including nodes associated with activities that occurred in a corresponding time unit; constructing links for nodes across different groups, wherein a link representing a relationship is established based on a respective activity recorded in the batch of events, each chain of linked nodes forming a component; computing a total interest score for the formed component, wherein the total interest score reflects a totality of interest generated from all nodes attached to a given link; and identifying a component for further security scrutiny based on the total interest score.
-
-
30. A non-transitory machine-readable storage medium for use in a processing system, the non-transitory machine-readable storage medium storing instructions, an execution of which in the processing system causes the processing system to perform operations comprising:
-
accessing a relationship graph having entities as nodes, and relationships among the nodes as links, the relationship graph reflecting a batch of events that occurred during a time range; assigning the nodes in the relationship graph to groups based on event timestamps, each group including nodes associated with activities that occurred in a corresponding time unit; constructing links for nodes across different groups, wherein a link representing a relationship is established based on a respective activity recorded in the batch of events, each chain of linked nodes forming a component; computing a total interest score for the formed component, wherein the total interest score reflects a totality of interest generated from all nodes attached to a given link; and identifying a component for further security scrutiny based on the total interest score.
-
Specification