ENTERPRISE GRAPH METHOD OF THREAT DETECTION

US 20180084001A1
Filed: 09/22/2016
Published: 03/22/2018
Est. Priority Date: 09/22/2016
Status: Active Grant

First Claim

Patent Images

1. A method for analyzing security alerts, comprising:

generating an enterprise graph based on information associated with an enterprise;

utilizing the enterprise graph to identify relationships between computers of the enterprise;

receiving a plurality of security alerts produced by a plurality of security components of the enterprise;

identifying at least one significant relationship between two or more of the plurality of security alerts based on a strength of a relationship identified in the enterprise graph; and

identifying at least one potential security incident based on the at least one significant relationship between the two or more of the plurality of security alerts.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for analyzing security alerts within an enterprise are provided. An enterprise graph is generated based on information such as operational intelligence regarding the enterprise. The enterprise graph identifies relationships between entities of the enterprise and a plurality of security alerts are produced by a plurality of security components of the enterprise. One or more significant relationships are identified between two or more of the plurality of security alerts based on a strength of a relationship identified in the enterprise graph. A significant relationship is utilized to identify a potential security incident between two or more of the security alerts.

31 Citations

View as Search Results

20 Claims

1. A method for analyzing security alerts, comprising:
- generating an enterprise graph based on information associated with an enterprise;
  
  utilizing the enterprise graph to identify relationships between computers of the enterprise;
  
  receiving a plurality of security alerts produced by a plurality of security components of the enterprise;
  
  identifying at least one significant relationship between two or more of the plurality of security alerts based on a strength of a relationship identified in the enterprise graph; and
  
  identifying at least one potential security incident based on the at least one significant relationship between the two or more of the plurality of security alerts.
- View Dependent Claims (2, 3, 4, 5, 6, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 further comprising examining the security alerts associated with the at least one potential security incident to identify at least one known part of an attack.
  - 3. The method of claim 2 wherein examining the security alerts associated with the at least one potential security incident to identify at least one known part of an attack comprises comparing a chain of events with a criteria for an attack.
  - 4. The method of claim 1 further comprising indicating the plurality of security alerts of a potential security incident has priority over other security alerts not associated with any other identified potential security incident.
  - 5. The method of claim 1 further comprising recommending the plurality of security alerts of a potential security incident be given investigative priority.
  - 6. The method of claim 1 further comprising presenting the plurality of security alerts of a potential security incident as a chain of events.
  - 6-1. The method of claim 1 further comprising generating a priority list of security alerts based on one or more potential security incidents.
  - 7. The method of claim 1 further comprising concluding that a potential security incident is an actual attack.
  - 8. The method of claim 1 further comprising prioritizing a plurality of potential security incidents relative to one another.
  - 9. The method of claim 1 wherein identifying the at least one potential security incident based on the at least one significant relationship between the two or more of the plurality of security alerts involves two or more computers of the enterprise.
  - 10. The method of claim 1 wherein one of the security alerts occur as a result of detection of a known piece of malicious executable code at an entity and another security alert occurs as a result of receipt of the known piece of malicious executable code from another entity.
  - 11. The method of claim 10 wherein the one security alert occurring as a result of detecting the known piece of malicious executable code and the other security alert occurring as a result of the receipt of the known piece of malicious executable code together result in a potential security incident.
  - 12. The method of claim 1 wherein the at least one security alert itself, which corresponds with a detected known piece of malicious executable code, results in a potential security incident.

13. A system for analyzing security alerts, comprising:
- an enterprise graph service for generating an enterprise graph based on information associated with an enterprise for identifying relationships between computers of the enterprise;
  
  a plurality of security components generating a plurality of security alerts regarding the enterprise;
  
  a fusion service for identifying significant relationships between security alerts, wherein each significant relationship is identified in the enterprise graph and corresponds with at least two or more security alerts; and
  
  a kill chain interpreter for identifying potential security incidents based on significant relationships between two or more of the plurality of security alerts.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13 further comprising a list prioritizing the security alerts corresponding with the potential security incidents identified by the kill chain interpreter.
  - 15. The system of claim 13 further comprising a recommendation that the security alerts of one or more of the potential security incidents be given priority over other security alerts not associated with any other identified potential security incident.
  - 16. The system of claim 13 further comprising a conclusion that that one or more potential security incidents is an actual attack.
  - 17. The system of claim 13 further comprising a list of prioritized potential security incidents.
  - 18. The system of claim 13 wherein at least one potential security incident based on the at least one significant relationship between the two or more of the plurality of security alerts involves two or more computers of the enterprise.
  - 19. The system of claim 13 wherein one of the security alerts occurring as a result of detection of a known piece of malicious executable code at an entity and another security alert occurring as a result of receipt of the known piece of malicious executable code from another entity together result in a potential security incident.

20. A computer-readable storage medium including instructions for analyzing security alerts, which when executed by a processor are operable to:
- generating an enterprise graph based on information associated with an enterprise;
  
  utilizing the enterprise graph to identify relationships between computers of the enterprise;
  
  receiving a plurality of security alerts produced by a plurality of security components of the enterprise;
  
  identifying at least one significant relationship between two or more of the plurality of security alerts based on a strength of a relationship identified in the enterprise graph;
  
  identifying a potential security incident involving two or more entities of the enterprise based on the at least one significant relationship between the two or more of the plurality of security alerts, and wherein the potential security incident corresponds with at least part of a known piece of malicious executable code;
  
  indicating the plurality of security alerts of the potential security incident have priority over other security alerts not associated with the identified potential security incident; and
  
  concluding that the potential security incident is an actual attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Hudis, Efim, Braverman-Blumenstyk, Michal, Alon, Daniel, Neuvirth, Hani Hana, Ronen, Royi, Gurevich, Yuri

Granted Patent

US 10,771,492 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

ENTERPRISE GRAPH METHOD OF THREAT DETECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ENTERPRISE GRAPH METHOD OF THREAT DETECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links