EVENT CORRELATION ACROSS HETEROGENEOUS OPERATIONS

US 20160301709A1
Filed: 08/31/2015
Published: 10/13/2016
Est. Priority Date: 04/09/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for transforming representations of network activity data, the method being executed by one or more processors and comprising:

receiving a data structure that represents communication events between computing devices of one or more networks, wherein the data structure is a directed graph stored in a graph database;

analyzing the data structure and determining a set of potential attack paths represented in the data structure;

assigning a score to each potential attack path in the set of potential attack paths;

removing potential attack paths from the set of potential attack paths that have scores that do not meet a predetermined threshold;

ranking potential attack paths that remain in the set of potential attack paths, based on each score assigned to each potential attack path; and

providing the data structure that includes a ranked set of potential attack paths.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for transforming representations of network activity data. A data structure that represents communication events between computing devices of one or more networks is received. The data structure is analyzed and a set of potential attack paths represented in the data structure is determined. A score is assigned to each potential attack path in the set of potential attack paths. Potential attack paths that have scores that do not meet a predetermined threshold are removed from the set of potential attack paths. Potential attack paths that remain in the set of potential attack paths are ranked, based on each score assigned to each potential attack path, and the data structure that includes a ranked set of potential attack paths is provided.

108 Citations

20 Claims

1. A computer-implemented method for transforming representations of network activity data, the method being executed by one or more processors and comprising:
- receiving a data structure that represents communication events between computing devices of one or more networks, wherein the data structure is a directed graph stored in a graph database;
  
  analyzing the data structure and determining a set of potential attack paths represented in the data structure;
  
  assigning a score to each potential attack path in the set of potential attack paths;
  
  removing potential attack paths from the set of potential attack paths that have scores that do not meet a predetermined threshold;
  
  ranking potential attack paths that remain in the set of potential attack paths, based on each score assigned to each potential attack path; and
  
  providing the data structure that includes a ranked set of potential attack paths.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the computing devices of the one or more networks are represented by nodes of the directed graph, and the communication events are represented by directed edges between the nodes of the directed graph.
  - 3. The method of claim 2, wherein determining the set of potential attack paths represented in the data structure includes traversing the directed graph based on timestamp information associated with the directed edges between the nodes to determine a plurality of node sequences, each node sequence proceeding from an originating node to a destination node.
  - 4. The method of claim 3, wherein determining the set of potential attack paths represented in the data structure includes determining all possible node sequences of two or more linked nodes within the data structure.
  - 5. The method of claim 1, wherein analyzing the data structure includes receiving information provided by a rule or pattern-based threat intelligence data source.
  - 6. The method of claim 1, wherein analyzing the data structure includes determining a meshedness coefficient for the data structure that indicates whether one or more potential attack paths represented in the data structure are looped.
  - 7. The method of claim 6, wherein determining the set of potential attack paths represented in the data structure includes converting looped potential attack paths to non-looped potential attack paths.
  - 8. The method of claim 1, wherein assigning the score to each potential attack path in the set of potential attack paths includes determining, for each potential attack path, two or more component scores including two or more of a spatial component score, a temporal component score, and an importance component score, and wherein the score for the potential attack path is an aggregation of the two or more component scores.
  - 9. The method of claim 8, wherein the spatial component score represents a distance between computing devices within the one or more networks.
  - 10. The method of claim 8, wherein the spatial component score represents a number of logical system boundaries crossed by the potential attack path.
  - 11. The method of claim 8, wherein the temporal component score represents a function of the rate at which communication events associated with the attack path occur.
  - 12. The method of claim 8, wherein the importance component score represents an importance of one or more computing devices associated with the potential attack path.
  - 13. The method of claim 12, wherein determining the importance component score includes receiving information related to the one or more computing devices associated with the potential attack path from a configuration management system.
  - 14. The method of claim 8, wherein the importance component score represents an importance of one or more communication events associated with the potential attack path.
  - 15. The method of claim 14, wherein determining the importance component score includes receiving information related to the one or more communication events associated with the potential attack path from a network security sensor.

16. A system, comprising:
- one or more processors; and
  
  a computer-readable storage device coupled to the one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for transforming representations of network activity data, the operations comprising;
  
  receiving a data structure that represents communication events between computing devices of one or more networks, wherein the data structure is a directed graph stored in a graph database;
  
  analyzing the data structure and determining a set of potential attack paths represented in the data structure;
  
  assigning a score to each potential attack path in the set of potential attack paths;
  
  removing potential attack paths from the set of potential attack paths that have scores that do not meet a predetermined threshold;
  
  ranking potential attack paths that remain in the set of potential attack paths, based on each score assigned to each potential attack path; and
  
  providing the data structure that includes a ranked set of potential attack paths.
- View Dependent Claims (17, 18, 19)
- - 17. The system of claim 16, wherein the computing devices of the one or more networks are represented by nodes of the directed graph, and the communication events are represented by directed edges between the nodes of the directed graph.
  - 18. The system of claim 16, wherein analyzing the data structure includes receiving information provided by a rule or pattern-based threat intelligence data source.
  - 19. The system of claim 16, wherein assigning the score to each potential attack path in the set of potential attack paths includes determining, for each potential attack path, two or more component scores including two or more of a spatial component score, a temporal component score, and an importance component score, and wherein the score for the potential attack path is an aggregation of the two or more component scores.

20. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for transforming representations of network activity data, the operations comprising:
- receiving a data structure that represents communication events between computing devices of one or more networks, wherein the data structure is a directed graph stored in a graph database;
  
  analyzing the data structure and determining a set of potential attack paths represented in the data structure;
  
  assigning a score to each potential attack path in the set of potential attack paths;
  
  removing potential attack paths from the set of potential attack paths that have scores that do not meet a predetermined threshold;
  
  ranking potential attack paths that remain in the set of potential attack paths, based on each score assigned to each potential attack path; and
  
  providing the data structure that includes a ranked set of potential attack paths.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Hassanzadeh, Amin, Modi, Shimon, Mulchandani, Shaan, Negm, Walid

Granted Patent

US 9,712,554 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 67/10   in which an application is ...

EVENT CORRELATION ACROSS HETEROGENEOUS OPERATIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

108 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

EVENT CORRELATION ACROSS HETEROGENEOUS OPERATIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

108 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links