EVENT CORRELATION ACROSS HETEROGENEOUS OPERATIONS
First Claim
1. A computer-implemented method for transforming representations of network activity data, the method being executed by one or more processors and comprising:
- receiving a data structure that represents communication events between computing devices of one or more networks, wherein the data structure is a directed graph stored in a graph database;
analyzing the data structure and determining a set of potential attack paths represented in the data structure;
assigning a score to each potential attack path in the set of potential attack paths;
removing potential attack paths from the set of potential attack paths that have scores that do not meet a predetermined threshold;
ranking potential attack paths that remain in the set of potential attack paths, based on each score assigned to each potential attack path; and
providing the data structure that includes a ranked set of potential attack paths.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on computer storage media, for transforming representations of network activity data. A data structure that represents communication events between computing devices of one or more networks is received. The data structure is analyzed and a set of potential attack paths represented in the data structure is determined. A score is assigned to each potential attack path in the set of potential attack paths. Potential attack paths that have scores that do not meet a predetermined threshold are removed from the set of potential attack paths. Potential attack paths that remain in the set of potential attack paths are ranked, based on each score assigned to each potential attack path, and the data structure that includes a ranked set of potential attack paths is provided.
108 Citations
20 Claims
-
1. A computer-implemented method for transforming representations of network activity data, the method being executed by one or more processors and comprising:
-
receiving a data structure that represents communication events between computing devices of one or more networks, wherein the data structure is a directed graph stored in a graph database; analyzing the data structure and determining a set of potential attack paths represented in the data structure; assigning a score to each potential attack path in the set of potential attack paths; removing potential attack paths from the set of potential attack paths that have scores that do not meet a predetermined threshold; ranking potential attack paths that remain in the set of potential attack paths, based on each score assigned to each potential attack path; and providing the data structure that includes a ranked set of potential attack paths. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system, comprising:
-
one or more processors; and a computer-readable storage device coupled to the one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for transforming representations of network activity data, the operations comprising; receiving a data structure that represents communication events between computing devices of one or more networks, wherein the data structure is a directed graph stored in a graph database; analyzing the data structure and determining a set of potential attack paths represented in the data structure; assigning a score to each potential attack path in the set of potential attack paths; removing potential attack paths from the set of potential attack paths that have scores that do not meet a predetermined threshold; ranking potential attack paths that remain in the set of potential attack paths, based on each score assigned to each potential attack path; and providing the data structure that includes a ranked set of potential attack paths. - View Dependent Claims (17, 18, 19)
-
-
20. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for transforming representations of network activity data, the operations comprising:
-
receiving a data structure that represents communication events between computing devices of one or more networks, wherein the data structure is a directed graph stored in a graph database; analyzing the data structure and determining a set of potential attack paths represented in the data structure; assigning a score to each potential attack path in the set of potential attack paths; removing potential attack paths from the set of potential attack paths that have scores that do not meet a predetermined threshold; ranking potential attack paths that remain in the set of potential attack paths, based on each score assigned to each potential attack path; and providing the data structure that includes a ranked set of potential attack paths.
-
Specification