MALICIOUS THREAT DETECTION THROUGH TIME SERIES GRAPH ANALYSIS

US 20180077175A1
Filed: 09/13/2016
Published: 03/15/2018
Est. Priority Date: 09/13/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, by a data analysis device, a data file comprising multiple log data entries, the log data entries including parameters associated with a computer network event in a computing network;

producing, by the data analysis device, a graphical model of the computing network based on at least one parameter included in the log data entries;

identifying, by the data analysis device, a parameter associated with the graphical model, the parameter also being associated with a node of the computing network;

performing, by the data analysis device, a time-series analysis on the parameter; and

determining, based on the time-series analysis on the parameter, at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Malicious threat detection through time-series graph analysis, in which a data analysis device receives a data file comprising multiple log data entries. The log data entries include parameters associated with a computer network event in a computing network. The data analysis device produces a graphical model of the computing network based on at least one parameter included in the log data. The data analysis device also identifies a parameter associated with a node of the computer network represented by the graphical model, and performs a time-series analysis on the parameter. The data analysis device further determines, based on the time-series analysis on the parameter, at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network.

34 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- receiving, by a data analysis device, a data file comprising multiple log data entries, the log data entries including parameters associated with a computer network event in a computing network;
  
  producing, by the data analysis device, a graphical model of the computing network based on at least one parameter included in the log data entries;
  
  identifying, by the data analysis device, a parameter associated with the graphical model, the parameter also being associated with a node of the computing network;
  
  performing, by the data analysis device, a time-series analysis on the parameter; and
  
  determining, based on the time-series analysis on the parameter, at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein producing the graphical model of the computer network comprises analyzing, by a processor of the data analysis device, log data entries using one or more graph analytic (GA) measures to produce a first set of GA metrics.
  - 3. The method of claim 2, wherein the GA measures comprise at least one of a PageRank measure, a between-ness centrality measure, a triangle count measure, or one or more graph analytic measures configured to analyze a reoccurring characteristic of the at least one parameter.
  - 4. The method of claim 2, further comprising:
    - performing, by the data analysis device, a periodic log data update that comprises point-in-time partitioning by, for each update of the periodic log data update, receiving a past time window of log data entries associated with the graphical model and storing, in a data storage unit of the data analysis device, the past time window.
  - 5. The method of claim 4, further comprising, analyzing, by the processor, the past time window of log data entries associated with the graphical model to produce a subsequent set of GA metrics, wherein the first set of GA metrics and subsequent set of GA metrics each comprise at least one parameter on which time-series analysis is performed.
  - 6. The method of claim 4, further comprising, storing, in the data storage unit, the graphical model of the data as at least one of an adjacency matrix and a compressed sparse matrix.
  - 7. The method of claim 1, wherein performing time-series analysis on the parameter includes analyzing, by the data analysis device, the node of the computing network to detect a change in an attribute of the node that exceeds a predetermined threshold, and wherein the change occurs between a first time period and a second time period that is later in time than the first time period.
  - 8. The method of claim 1, further comprising:
    - extracting, by the data analysis device, the parameters associated with the computer network event and preparing at least one parameter to be loaded into a data storage unit of the data analysis device; and
      
      wherein extracting and preparing occur in response to a processor of the data analysis device executing an instruction stored in the data storage unit, wherein the instruction comprises an extract, transform, load (ETL) data processing function.
  - 9. The method of claim 1, wherein the parameters associated with the computer network event included in the log data entries comprise at least one of a network event type, a source identifier, or a destination identifier, and wherein the node comprises one of a computing asset or a user of a computing asset.
  - 10. The method of claim 1, wherein performing the time-series analysis comprises performing at least a part of the time-series analysis using one of a graphics processing unit (GPU), a central processing unit (CPU), an application specific integrated circuit, or a programmable logic device.

11. An electronic system comprising:
- one or more processing devices; and
  
  one or more machine-readable storage devices storing instructions that are executable by the one or more processing devices to perform operations comprising;
  
  receiving a data file comprising multiple log data entries, the log data entries including parameters associated with a computer network event in a computing network;
  
  producing a graphical model of the computing network based on at least one parameter included in the log data entries;
  
  identifying a parameter associated with the graphical model, the parameter also being associated with a node of the computing network;
  
  performing a time-series analysis on the parameter; and
  
  determining, based on the time-series analysis on the parameter, at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The electronic system of claim 11, wherein producing the graphical model of the computing network comprises analyzing, by a graphics processor of the electronic system, log data entries using one or more graph analytic (GA) measures to produce a first set of GA metrics.
  - 13. The electronic system of claim 12, wherein the GA measures comprise at least one of a PageRank measure, a between-ness centrality measure, a triangle count measure, or one or more graph analytic measures configured to analyze a reoccurring characteristic of the at least one parameter.
  - 14. The electronic system of claim 12, wherein, operations performed by the electronic system further comprises performing a periodic log data update that comprises point-in-time partitioning by, for each update of the periodic log data update, receiving a past time window of log data entries associated with the graphical model and storing, in a storage device of the electronic system, the past time window of log data entries.
  - 15. The electronic system of claim 14, wherein, operations performed by the electronic system further comprises, analyzing, by the graphics processor, the past time window of log data entries associated with the graphical model to produce a subsequent set of GA metrics, wherein the first set of GA metrics and subsequent set of GA metrics each comprise at least one parameter on which time-series analysis is performed.
  - 16. The electronic system of claim 11, wherein, operations performed by the electronic system further comprises extracting the parameters associated with the computer network event and preparing at least one parameter to be loaded into a storage device of the electronic system;
    - andwherein extracting and preparing occur in response to a processor of the data analysis device executing an instruction stored in the data storage unit, wherein the instruction comprises an extract, transform, load (ETL) data processing function.
  - 17. The electronic system of claim 11, wherein performing time-series analysis on the parameter includes analyzing, by a graphics processor of the electronic system, the node of the computing network to detect a change in an attribute of the node that exceeds a predetermined threshold, and wherein the change occurs between a first time period and a second time period that is later in time than the first time period.
  - 18. The system of claim 11, wherein the time-series analysis methods comprise at least one of a time-series regression method, an auto-regressive method, a control-chart based method, or a markov jump method.

19. A non-transitory computer storage unit disposed in a data analysis device and encoded with a computer program, the program comprising instructions that when executed by one or more processing units cause the one or more processing units to perform operations comprising:
- receiving a data file comprising multiple log data entries, the log data entries including parameters associated with a computer network event in a computing network;
  
  producing a graphical model of the computing network based on at least one parameter included in the log data entries;
  
  identifying a parameter associated with the graphical model, the parameter also being associated with a node of the computing network;
  
  performing a time-series analysis on the parameter; and
  
  determining, based on the time-series analysis on the parameter, at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network.
- View Dependent Claims (20)
- - 20. The non-transitory computer storage unit of claim 19, wherein producing the graphical model of the computing network comprises analyzing, by a processing unit of the data analysis device, log data entries using one or more graph analytic (GA) measures to produce a first set of GA metrics.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Solutions Limited (Accenture PLC)
Original Assignee
Accenture Global Solutions Limited (Accenture PLC)
Inventors
DiValentin, Louis William, Patterson, Joshua, Kraus, Keith, Burkett, Robin Lynn, Wendt, Michael Evan

Granted Patent

US 10,476,896 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2477   Temporal data queries

G06F 16/254   Extract, transform and load...

G06F 21/552   involving long-term monitor...

G06F 2201/81   Threshold

G06F 2201/835   Timestamp

G06F 2201/86   Event-based monitoring

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

MALICIOUS THREAT DETECTION THROUGH TIME SERIES GRAPH ANALYSIS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MALICIOUS THREAT DETECTION THROUGH TIME SERIES GRAPH ANALYSIS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links