LATERAL MOVEMENT DETECTION
First Claim
1. A computer-implemented method for performing network intrusion detection in a computer network having multiple computing devices, the method comprising:
- accessing historical logon session data related to activities performed in connection with multiple authorized accounts during logon sessions on corresponding computing devices in the computer network, the historical logon session data including data representing security events triggered during each of the logon sessions in response to the corresponding authorized account accessing one of the computing devices in the computer network; and
based on the received historical logon session data, generating models each configured to output a probability value indicating whether one or more security events related to a new logon session in connection with one of the multiple authorized account are indicative of a compromised behavior, the generated models individually including a historical occurrence value of a distinct combination of the security events triggered during the individual logon sessions, the individual generated models being.
0 Assignments
0 Petitions
Accused Products
Abstract
Lateral movement detection may be performed by employing different detection models to score logon sessions. The different detection models may be implemented by and/or utilize counts computed from historical security event data. The different detection models may include probabilistic intrusion detection models for detecting compromised behavior based on logon behavior, a sequence of security events observed during a logon session, inter-event time between security events observed during a logon session, and/or an attempt to logon using explicit credentials. Scores for each logon session that are output by the different detection models may be combined to generate a ranking score for each logon session. A list of ranked alerts may be generated based on the ranking score for each logon session to identify compromised authorized accounts and/or compromised machines. An attack graph may be automatically generated based on compromised account-machine pairs to visually display probable paths of an attacker.
-
Citations
20 Claims
-
1. A computer-implemented method for performing network intrusion detection in a computer network having multiple computing devices, the method comprising:
-
accessing historical logon session data related to activities performed in connection with multiple authorized accounts during logon sessions on corresponding computing devices in the computer network, the historical logon session data including data representing security events triggered during each of the logon sessions in response to the corresponding authorized account accessing one of the computing devices in the computer network; and based on the received historical logon session data, generating models each configured to output a probability value indicating whether one or more security events related to a new logon session in connection with one of the multiple authorized account are indicative of a compromised behavior, the generated models individually including a historical occurrence value of a distinct combination of the security events triggered during the individual logon sessions, the individual generated models being. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computing device in a computer network containing multiple other computing devices, the computing device comprising:
-
a processor for executing computer-executable instructions; and memory storing computer-executable instructions executable by the processor to cause the processor to; access historical logon session data related to activities performed in connection with multiple authorized accounts during logon sessions on corresponding computing devices in the computer network, the historical logon session data including data representing security events triggered during each of the logon sessions in response to the corresponding authorized account accessing one of the computing devices in the computer network; and based on the received historical logon session data, generate one or more models individually configured to output a probability value indicating whether one or more security events related to a new logon session in connection with one of the multiple authorized account are indicative of a compromised behavior, the generated models individually including a historical occurrence value of a distinct combination of the security events triggered during the individual logon sessions, the individual generated models being. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer-implemented method for performing network intrusion detection in a computer network having multiple computing devices, the method comprising:
-
receiving logon session data of activities performed related to authorized accounts during logon sessions on a corresponding computing device in the computer network, the logon session data including data representing security events triggered during the logon sessions in response to the authorized accounts accessing the corresponding computing device in the computer network; for each of the logon sessions; deriving one or more probabilities of intrusion related to the logon session based on a comparison of the logon session data with distinct combinations of security event variables and a historical occurrence value corresponding to the individual distinct combinations of the security event variables, the individual probabilities of intrusion indicating whether one or more security events related to the logon session are indicative of a compromised behavior; and combining the derived one or more probabilities of instruction into an overall probability related to the logon session; and identifying one or more of compromised authorized accounts or compromised computing devices in the computer network based on the overall probabilities of the logon sessions related to the logon sessions by the authorized accounts on a corresponding computing device in the computer network. - View Dependent Claims (18, 19, 20)
-
Specification