Analytic-based security monitoring system and method
First Claim
1. A system comprising:
- a hardware processor; and
at least one memory for storing instructions executable by at least the hardware processor to;
detect a plurality of behavioral characteristics from behavioral data that is used as a basis of an attack,determine, in accordance with a correlation profile, one or more behavioral fragments each comprising one or more behavioral characteristics of the plurality of behavioral characteristics,correlate, in accordance with the correlation profile, the one or more determined behavioral fragments against an attack profile comprising a plurality of sets of behavioral fragments,identify an attack based on the correlated one or more determined behavioral fragments, andupdating the correlation profile after an analysis of the identified attack.
7 Assignments
0 Petitions
Accused Products
Abstract
An analytics-based security monitoring system adapted to detect a plurality of behavioral characteristics from behavioral data, each representing an action conducted in a computing environment. Furthermore, the system determines, in accordance with a correlation profile, one or more behavioral fragments, each comprising a plurality of the behavioral characteristics. In accordance with the correlation profile, the one or more determined behavioral fragments are correlated against an attack profile comprising a plurality of sets of behavioral fragments where each set of behavioral fragments forms a malicious behavior pattern of a known attack. Thereafter, an attack based on the correlated one or more determined behavioral fragments may be identified, and the correlation profile is updated after an analysis of the identified attack.
-
Citations
43 Claims
-
1. A system comprising:
-
a hardware processor; and at least one memory for storing instructions executable by at least the hardware processor to; detect a plurality of behavioral characteristics from behavioral data that is used as a basis of an attack, determine, in accordance with a correlation profile, one or more behavioral fragments each comprising one or more behavioral characteristics of the plurality of behavioral characteristics, correlate, in accordance with the correlation profile, the one or more determined behavioral fragments against an attack profile comprising a plurality of sets of behavioral fragments, identify an attack based on the correlated one or more determined behavioral fragments, and updating the correlation profile after an analysis of the identified attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A security monitoring system including at least one processor for execution of stored software, the security monitoring system comprising:
-
a behavioral characteristic detection module that, upon execution by the at least one processor, analyzes data in an event log to detect a plurality of behavioral characteristics from the event log data; a behavioral fragment determination module that, upon execution by the at least one processor, correlates a first of the detected behavioral characteristics against at least one other of the detected behavioral characteristics, and a second of the detected behavioral characteristics against at least one other of the detected behavioral characteristics, to identify thereby respective first and second behavioral fragments; an attack identification module that, upon execution by the at least one processor, identifies an attack by correlating the first and second behavioral fragments against an attack profile including information associated with a plurality of sets of behavioral fragments that each form a malicious behavior pattern of the attack; and a learning module to update a correlation profile being used by the behavioral fragment determination module to determine whether the first and second behavioral fragments are correlated with any of the plurality of sets of behavioral fragments, the correlation profile including information for use in identifying related or mutually relevant behavioral characteristics based on the correlation profile of known, frequently related behavioral characteristics to form each of the first and second behavioral fragments. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 40, 41)
-
-
31. A method comprising:
-
detecting a plurality of behavioral characteristics from behavioral data, each of the plurality of behavioral characteristics representing an action conducted in a computing device; determining one or more behavioral fragments each comprising one or more behavioral characteristics of the plurality of behavioral characteristics; correlating, in accordance with a correlation profile, the one or more determined behavioral fragments against an attack profile comprising a plurality of sets of behavioral fragments where each set of behavioral fragments forms a malicious behavior pattern of a known attack; identifying an attack based on the correlated one or more determined behavioral fragments; and updating the correlation profile after an analysis of the identified attack. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 42, 43)
-
Specification