Graph-based Instrusion Detection Using Process Traces
First Claim
Patent Images
1. A method for detecting malicious processes, comprising:
- modeling system data as a graph comprising vertices that represent system entities and edges that represent events between respective system entities, each edge comprising one or more timestamps corresponding respective events between two system entities;
generating a set of valid path patterns that relate to potential attacks; and
determining one or more event sequences in the system to be suspicious based on the graph and the valid path patterns using a random walk on the graph.
4 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for detecting malicious processes include modeling system data as a graph comprising vertices that represent system entities and edges that represent events between respective system entities. Each edge has one or more timestamps corresponding respective events between two system entities. A set of valid path patterns that relate to potential attacks is generated. One or more event sequences in the system are determined to be suspicious based on the graph and the valid path patterns using a random walk on the graph.
37 Citations
20 Claims
-
1. A method for detecting malicious processes, comprising:
-
modeling system data as a graph comprising vertices that represent system entities and edges that represent events between respective system entities, each edge comprising one or more timestamps corresponding respective events between two system entities; generating a set of valid path patterns that relate to potential attacks; and determining one or more event sequences in the system to be suspicious based on the graph and the valid path patterns using a random walk on the graph. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for detecting malicious processes, comprising:
-
a modeling module configured to model system data as a graph that comprises vertices that represent system entities and edges that represent events between respective system entities, each edge comprising one or more timestamps corresponding respective events between two system entities; and a malicious process path discovery module comprising a processor configured to generate a set of valid path patterns that relate to potential attacks and to determine one or more event sequences in the system to be suspicious based on the graph and the valid path patterns using a random walk on the graph. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification