Entity Group Behavior Profiling

US 20150373039A1
Filed: 06/18/2015
Published: 12/24/2015
Est. Priority Date: 06/23/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

creating an entity group that includes a plurality of entities, wherein each one of the plurality of entities represents one of a user, a machine, and a service;

creating a behavior profile for each one of the plurality of entities of the entity group;

monitoring behavior of each one of the plurality of entities of the entity group to detect behavior change; and

detecting an indicator of compromise based on multiple ones of the plurality of entities experiencing substantially a same behavior change.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Entity group behavior profiling. An entity group is created that includes multiple entities, where each entity represents one of a user, a machine, and a service. A behavior profile is created for each one of the entities of the entity group. The behavior of each of one of the entities of the entity group is monitored to detect behavior change. An indicator of compromise is detected based on multiple ones of the entities experiencing substantially a same behavior change.

203 Citations

24 Claims

1. A method, comprising:
- creating an entity group that includes a plurality of entities, wherein each one of the plurality of entities represents one of a user, a machine, and a service;
  
  creating a behavior profile for each one of the plurality of entities of the entity group;
  
  monitoring behavior of each one of the plurality of entities of the entity group to detect behavior change; and
  
  detecting an indicator of compromise based on multiple ones of the plurality of entities experiencing substantially a same behavior change.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein creating the entity group is performed responsive to receiving input from a user that specifies the plurality of entities belonging to the entity group.
  - 3. The method of claim 1, wherein creating the entity group is automatically performed and populated with the plurality of entities based on a set of one or more attributes common to those plurality of entities.
  - 4. The method of claim 1, wherein creating the entity group is automatically performed and populated with the plurality of entities based on those plurality of entities previously showing similar behavior.
  - 5. The method of claim 1, wherein the created behavior profile for each one of the plurality of entities of the entity group includes a set of one or more features that are used to distinguish behavior between the plurality of entities.
  - 6. The method of claim 1, wherein the created behavior profile for each one of the plurality of entities of the entity group includes a set of one or more features that are used to distinguish behavior of the created entity group as compared to behavior of a different entity group.
  - 7. The method of claim 6, wherein the set of features are extracted or derived from metadata and other items of interest including one or more of:
    - network packets propagating to/from devices, log information, and flow based connection records.
  - 8. The method of claim 7, wherein detecting the indicator of compromise based on multiple ones of the plurality of entities experiencing substantially a same behavior change includes finding a distance change of current behavior versus historical behavior for each of the multiple ones of the plurality of entities that is within a threshold or percentage change.

9. A non-transitory machine-readable storage medium that provides instructions that, if executed by a processor, will cause said processor to perform operations comprising:
- creating an entity group that includes a plurality of entities, wherein each one of the plurality of entities represents one of a user, a machine, and a service;
  
  creating a behavior profile for each one of the plurality of entities of the entity group;
  
  monitoring behavior of each one of the plurality of entities of the entity group to detect behavior change; and
  
  detecting an indicator of compromise based on multiple ones of the plurality of entities experiencing substantially a same behavior change.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory machine-readable storage medium of claim 9, wherein creating the entity group is performed responsive to receiving input from a user that specifies the plurality of entities belonging to the entity group.
  - 11. The non-transitory machine-readable storage medium of claim 9, wherein creating the entity group is automatically performed and populated with the plurality of entities based on a set of one or more attributes common to those plurality of entities.
  - 12. The non-transitory machine-readable storage medium of claim 9, wherein creating the entity group is automatically performed and populated with the plurality of entities based on those plurality of entities previously showing similar behavior.
  - 13. The non-transitory machine-readable storage medium of claim 9, wherein the created behavior profile for each one of the plurality of entities of the entity group includes a set of one or more features that are used to distinguish behavior between the plurality of entities.
  - 14. The non-transitory machine-readable storage medium of claim 9, wherein the created behavior profile for each one of the plurality of entities of the entity group includes a set of one or more features that are used to distinguish behavior of the created entity group as compared to behavior of a different entity group.
  - 15. The non-transitory machine-readable storage medium of claim 14, wherein the set of features are extracted or derived from metadata and other items of interest including one or more of:
    - network packets propagating to/from devices, log information, and flow based connection records.
  - 16. The non-transitory machine-readable storage medium of claim 15, wherein detecting the indicator of compromise based on multiple ones of the plurality of entities experiencing substantially a same behavior change includes finding a distance change of current behavior versus historical behavior for each of the multiple ones of the plurality of entities that is within a threshold or percentage change.

17. An apparatus for collaborative and adaptive threat intelligence, comprising:
- a processor; and
  
  a non-transitory machine-readable storage medium containing instructions executable by said processor whereby said apparatus is operative to;
  
  create an entity group that includes a plurality of entities, wherein each one of the plurality of entities represents one of a user, a machine, and a service;
  
  create a behavior profile for each one of the plurality of entities of the entity group;
  
  monitor behavior of each one of the plurality of entities of the entity group to detect behavior change; and
  
  detect an indicator of compromise based on multiple ones of the plurality of entities experiencing substantially a same behavior change.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The non-transitory machine-readable storage medium of claim 17, wherein creation of the entity group is performed responsive to receiving input from a user that specifies the plurality of entities belonging to the entity group.
  - 19. The non-transitory machine-readable storage medium of claim 17, wherein creation of the entity group is automatically performed and populated with the plurality of entities based on a set of one or more attributes common to those plurality of entities.
  - 20. The non-transitory machine-readable storage medium of claim 17, wherein creation of the entity group is automatically performed and populated with the plurality of entities based on those plurality of entities previously showing similar behavior.
  - 21. The non-transitory machine-readable storage medium of claim 17, wherein once created, the behavior profile for each one of the plurality of entities of the entity group includes a set of one or more features that are used to distinguish behavior between the plurality of entities.
  - 22. The non-transitory machine-readable storage medium of claim 17, wherein once crated, the behavior profile for each one of the plurality of entities of the entity group includes a set of one or more features that are used to distinguish behavior of the created entity group as compared to behavior of a different entity group.
  - 23. The non-transitory machine-readable storage medium of claim 22, wherein the set of features are extracted or derived from metadata and other items of interest including one or more of:
    - network packets propagating to/from devices, log information, and flow based connection records.
  - 24. The non-transitory machine-readable storage medium of claim 23, wherein detection of the indicator of compromise based on multiple ones of the plurality of entities experiencing substantially a same behavior change includes a finding that a distance change of current behavior versus historical behavior for each of the multiple ones of the plurality of entities that is within a threshold or percentage change.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Niara, Inc. (Hewlett-Packard Enterprise Company)
Inventors
Wang, Jisheng

Granted Patent

US 10,212,176 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04W 4/38 for collecting sensor infor...

Entity Group Behavior Profiling

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

203 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Entity Group Behavior Profiling

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

203 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links