Analytic-based security monitoring system and method

US 10,728,263 B1
Filed: 10/15/2018
Issued: 07/28/2020
Est. Priority Date: 04/13/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a hardware processor; and

at least one memory for storing instructions executable by at least the hardware processor to;

detect a plurality of behavioral characteristics from behavioral data that is used as a basis of an attack,determine, in accordance with a correlation profile, one or more behavioral fragments each comprising one or more behavioral characteristics of the plurality of behavioral characteristics,correlate, in accordance with the correlation profile, the one or more determined behavioral fragments against an attack profile comprising a plurality of sets of behavioral fragments,identify an attack based on the correlated one or more determined behavioral fragments, andupdating the correlation profile after an analysis of the identified attack.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An analytics-based security monitoring system adapted to detect a plurality of behavioral characteristics from behavioral data, each representing an action conducted in a computing environment. Furthermore, the system determines, in accordance with a correlation profile, one or more behavioral fragments, each comprising a plurality of the behavioral characteristics. In accordance with the correlation profile, the one or more determined behavioral fragments are correlated against an attack profile comprising a plurality of sets of behavioral fragments where each set of behavioral fragments forms a malicious behavior pattern of a known attack. Thereafter, an attack based on the correlated one or more determined behavioral fragments may be identified, and the correlation profile is updated after an analysis of the identified attack.

Citations

43 Claims

1. A system comprising:
- a hardware processor; and
  
  at least one memory for storing instructions executable by at least the hardware processor to;
  
  detect a plurality of behavioral characteristics from behavioral data that is used as a basis of an attack,determine, in accordance with a correlation profile, one or more behavioral fragments each comprising one or more behavioral characteristics of the plurality of behavioral characteristics,correlate, in accordance with the correlation profile, the one or more determined behavioral fragments against an attack profile comprising a plurality of sets of behavioral fragments,identify an attack based on the correlated one or more determined behavioral fragments, andupdating the correlation profile after an analysis of the identified attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The system of claim 1, wherein the instructions are further executed to:
    - identify the attack by generating a score based on the correlated one or more determined behavioral fragments, wherein the score is indicative of a relevance of one detected behavioral characteristic to another detected behavioral characteristic indicating a likelihood of the one or more determined behavioral fragments represent attack fragments and identifies an attack is occurring based on the attack profile of one or more attack profiles.
  - 3. The system of claim 1, wherein the instructions are further executed to:
    - correlate a first behavioral characteristic against one or more other behavioral characteristics;
      
      generate a behavioral score indicative of a level of relevance of the first behavioral characteristic to the one or more other behavioral characteristics using one or more correlation weighting factors; and
      
      identify the attack by generating a score based on the correlated one or more determined behavioral fragments.
  - 4. The system of claim 3, wherein the instructions are further executed to perform a learning process that includes analyzing a previously identified attack, and modifying the at least one correlation weighting factor according to the analyzed attack.
  - 5. The system of claim 1, wherein the instructions are further executed to detect the plurality of behavioral characteristics using one or more detection weighting factors associated with the behavioral data.
  - 6. The system of claim 1, wherein the instructions are further executed to normalize received data including the behavioral data into a common format prior to detecting the plurality of behavioral characteristics.
  - 7. The system of claim 1 further comprising:
    - performing a remedial action by conducting least one of generating an alert message, tracing an origin comprising one or more computing nodes associated with the attack, and halting operation of the one or more computing nodes associated with the attack.
  - 8. The system of claim 1, wherein each of the plurality of behavioral characteristics representing an action conducted in a computing environment.
  - 9. The system of claim 8, wherein the computing environment constitutes a local computing environment analysis stage where a local computing environment that comprises one or more computing devices.
  - 10. The system of claim 8, wherein the computing environment constitutes an inter-computing environment analysis stage where a local computing environment comprises a plurality of computing devices spanning across a plurality of networks.
  - 11. The system of claim 8, wherein the computing environment includes a plurality of computing devices operating as a cluster or a unified computing system.
  - 12. The system of claim 1, wherein the correlation profile includes information to associate event data from an event log into behavioral characteristics and information to associate the behavior characteristics into behavioral fragments.
  - 13. The system of claim 1, wherein the behavioral data corresponds to event log data including data related to observed events received from one or more computer systems.
  - 14. The system of claim 13, wherein the at least one memory further comprises a normalization module that is executable by the hardware processor to normalize the event log data received from a plurality of computer systems of the one or more computer systems into a common format prior to conducting an operation to detect the plurality of behavioral characteristics.
  - 15. The system of claim 13, wherein the normalization module being configured to filter portions of the data related to the observed events based on (i) event type or (ii) observation time.
  - 16. The system of claim 1, wherein the correlation profile includes information for use in identifying one or more sets of related or mutually relevant behavioral characteristics based on the correlation profile of known, frequently related behavioral characteristics to form each of the one or more determined behavioral fragments.
  - 17. The system of claim 16, wherein the attack profile includes the plurality of sets of behavioral fragments where each set of behavioral fragments includes behavioral characteristics associated with a behavioral fragment of a known attack.
  - 18. The system of claim 1, wherein the instructions to further cause the hardware processor to identify an inter-computing environment attack by comparing the correlated one or more behavioral fragments against an attack profile including information associated with one or more attacks identified in other computing environments.
  - 19. The system of claim 18, wherein each of the other computing environments includes a private network.
  - 20. The system of claim 1, wherein the instructions are configured to support operations in accordance with a multiple analysis stages including a local computing environment analysis stage in which operations conducted to identify the attack are performed within a single computing environment and an inter-computing environment analysis stage in which operations conducted to identify the attack is performed across or within a plurality of computing environments.
  - 21. The system of claim 1, wherein determining the one or more behavioral fragments according to the correlation profile is based on one or more factors including whether:
    - (i) the elapsed amount of time between the behavioral characteristics was under a threshold so as to have occurred within a prescribed window of time, (ii) the behavioral characteristics were detected on a same or different network device(s), (iii) the behavioral characteristics arose during processing of a same object or type of object, or (iv) the behavioral characteristics arose while processing objects from a same network source.
  - 22. The system of claim 1, wherein the instructions are further executed to:
    - identify the attack by generating a score based on the correlated one or more determined behavioral fragments, indicating a likelihood of the one or more determined behavioral fragments represent attack fragments and identifies an attack is occurring based on the attack profile of one or more attack profiles.

23. A security monitoring system including at least one processor for execution of stored software, the security monitoring system comprising:
- a behavioral characteristic detection module that, upon execution by the at least one processor, analyzes data in an event log to detect a plurality of behavioral characteristics from the event log data;
  
  a behavioral fragment determination module that, upon execution by the at least one processor, correlates a first of the detected behavioral characteristics against at least one other of the detected behavioral characteristics, and a second of the detected behavioral characteristics against at least one other of the detected behavioral characteristics, to identify thereby respective first and second behavioral fragments;
  
  an attack identification module that, upon execution by the at least one processor, identifies an attack by correlating the first and second behavioral fragments against an attack profile including information associated with a plurality of sets of behavioral fragments that each form a malicious behavior pattern of the attack; and
  
  a learning module to update a correlation profile being used by the behavioral fragment determination module to determine whether the first and second behavioral fragments are correlated with any of the plurality of sets of behavioral fragments, the correlation profile including information for use in identifying related or mutually relevant behavioral characteristics based on the correlation profile of known, frequently related behavioral characteristics to form each of the first and second behavioral fragments.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 40, 41)
- - 24. The security monitoring system of claim 23, wherein the behavioral fragment determination module further provides a control signal to the behavioral characteristic detection module to cause the behavioral characteristic detection module to re-analyze the event log data to detect, based on a fragment profile, a behavioral characteristic that was not detected when the event log data was analyzed previously.
  - 25. The security monitoring system of claim 23, wherein the attack identification module further provides a control signal to the behavioral characteristic detection module to cause the behavioral characteristic detection module to re-analyze the event log data to detect, based on a fragment profile, a behavioral characteristic that was not detected when the event log data was analyzed previously.
  - 26. The security monitoring system of claim 23, wherein the attack identification module further provides a control signal to the behavioral fragment determination module to cause the behavioral fragment determination module to re-correlate the behavioral characteristics based on the attack profile, to determine either a third behavioral fragment constituting part of the attack or an additional behavioral characteristic that was previously omitted from the first and second behavioral fragments.
  - 27. The security monitoring system of claim 23, wherein the event log data collected from at least one computing node in a computing environment, each of the plurality of behavioral characteristics representing an action conducted in the computing environment.
  - 28. The security monitoring system of claim 23, wherein the learning module is configured to modify at least the correlation profile or the attack profiles based on feedback information provided from at least the attack identification module to the behavioral fragment determination module.
  - 29. The security monitoring system of claim 23 further comprising:
    - a score generator that, upon execution by the at least one processor, generates a score to be associated with one or more behavioral characteristics identified in the event log data, wherein the score associated with each of the one or more behavioral characteristics is configured to influence a score generated in association with at least the first and second behavioral fragments by the attack identification module to determine an actual or potential attack upon satisfying a threshold.
  - 30. The system of claim 23, wherein the behavioral fragment determination module correlates the behavioral characteristics based on one or more factors including whether:
    - (i) the elapsed amount of time between the behavioral characteristics was under a threshold so as to have occurred within a prescribed window of time, (ii) the behavioral characteristics were detected on a same or different network device(s), (iii) the behavioral characteristics arose during processing of a same object or type of object, or (iv) the behavioral characteristics arose while processing objects from a same network source.
  - 40. The method of claim 28, wherein the information is based on known, frequently related behavioral characteristics.
  - 41. The method of claim 40, wherein the attack profile wherein the attack profile includes the plurality of sets of behavioral fragments where each set of behavioral fragments includes behavioral characteristics associated with a behavioral fragment of a known attack.

31. A method comprising:
- detecting a plurality of behavioral characteristics from behavioral data, each of the plurality of behavioral characteristics representing an action conducted in a computing device;
  
  determining one or more behavioral fragments each comprising one or more behavioral characteristics of the plurality of behavioral characteristics;
  
  correlating, in accordance with a correlation profile, the one or more determined behavioral fragments against an attack profile comprising a plurality of sets of behavioral fragments where each set of behavioral fragments forms a malicious behavior pattern of a known attack;
  
  identifying an attack based on the correlated one or more determined behavioral fragments; and
  
  updating the correlation profile after an analysis of the identified attack.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 42, 43)
- - 32. The system of claim 31, whereinthe determining of the one or more behavioral fragments includes correlating a first behavioral characteristic against one or more other behavioral characteristics to identify related or mutually relevant behavioral characteristics to form a behavioral fragment of the one or more behavioral fragments;
    - andthe identifying of the attack further includes generating an attack score based on the correlated one or more determined behavioral fragments against behavioral fragments of known attacks.
  - 33. The method of claim 32 further comprising:
    - performing a learning process that includes analyzing a previously identified attack, and modifying one or more of (i) the correlation profile, (ii) attack profile, or (iii) instructions executing one or more software modules that access and use information within the correlation profile or the attack profile.
  - 34. The method of claim 32, wherein prior to detecting the plurality of behavioral characteristics, the method further comprises normalizing the received data including the behavioral data from a plurality of computing devices including the computing device into a common format.
  - 35. The method of claim 31 further comprising:
    - performing a remedial action by conducting any one or more of (i) generating an alert message, (ii) tracing an origin comprising one or more computing nodes associated with the attack, or (iii) halting operation of the one or more computing nodes associated with the attack.
  - 36. The method of claim 31, wherein the behavioral data corresponds to event log data including data related to observed events received from one or more computing devices including the computing device.
  - 37. The method of claim 36, wherein the detecting of the plurality of behavioral characteristics further comprises normalizing the event log data from a plurality of sources including the one or more computing devices into a common format prior to conducting an operation to detect the plurality of behavioral characteristics.
  - 38. The method of claim 37, wherein the normalizing of the data further comprises filtering portions of the data related to the observed events based on (i) event type or (ii) observation time.
  - 39. The method of claim 31, wherein the correlation profile includes information for use in identifying one or more sets of related or mutually relevant behavioral characteristics to form each of the one or more determined behavioral fragments.
  - 42. The method of claim 31, wherein the detecting, the determining, the correlating, the identifying and the updating are performed in accordance with a local computing environment analysis stage in which operations conducted to identify the attack is performed within a single computing environment or an inter-computing environment analysis stage in which operations conducted to identify the attack are performed within or across a plurality of computing environments.
  - 43. The method of claim 31, wherein determining the one or more behavioral fragments is based on one or more factors including whether:
    - (i) the elapsed amount of time between the behavioral characteristics was under a threshold so as to have occurred within a prescribed window of time, (ii) the behavioral characteristics were detected on a same or different network device(s), (iii) the behavioral characteristics arose during processing of a same object or type of object, or (iv) the behavioral characteristics arose while processing objects from a same network source.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Neumann, Justin
Primary Examiner(s)
Powers, William S

Application Number

US16/160,913
Time in Patent Office

652 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Analytic-based security monitoring system and method

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Analytic-based security monitoring system and method

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links