PROCESSING NETWORK DATA USING A GRAPH DATA STRUCTURE
First Claim
Patent Images
1. A method for analyzing network data, comprising:
- obtaining network data indicative of communications between a plurality of computing devices across at least one network;
processing the network data to generate a time-varying graph data structure, the time-varying graph data structure comprising node representations coupled by edge representations, each node representation corresponding to one of the plurality of computing devices, each edge representation corresponding to a communication between two of said computing devices in the at least one network and comprising data indicating a time of the communication;
indexing the time-varying graph data structure for a plurality of time periods to generate a respective plurality of indexed time period representations, each indexed time period representation of the time-varying graph data structure comprising edge representations with a time of communication within a given time period in the plurality of time periods;
obtaining an indication of at least one computing device within the plurality of computing devices that is associated with anomalous behavior and a time said anomalous behavior is detected;
identifying an indexed time period representation associated with the time said anomalous behavior is detected; and
starting from said identified indexed time period representation, processing the plurality of indexed time period representations to determine at least one further computing device within the plurality of computing devices that is also associated with the anomalous behavior.
2 Assignments
0 Petitions
Accused Products
Abstract
Certain described examples are directed towards analyzing network data. The network data is processed to generate a graph data structure that has edges that are associated with communication times from the network data and nodes that are associated with computer devices. Representations of the graph data structure are generated over time. Given an indication of at least a computing device, for example as involved in anomalous activity or a security incident, the representations of the graph data structure may be used to determine further associated computer devices that are associated with the indicated device.
-
Citations
15 Claims
-
1. A method for analyzing network data, comprising:
-
obtaining network data indicative of communications between a plurality of computing devices across at least one network; processing the network data to generate a time-varying graph data structure, the time-varying graph data structure comprising node representations coupled by edge representations, each node representation corresponding to one of the plurality of computing devices, each edge representation corresponding to a communication between two of said computing devices in the at least one network and comprising data indicating a time of the communication; indexing the time-varying graph data structure for a plurality of time periods to generate a respective plurality of indexed time period representations, each indexed time period representation of the time-varying graph data structure comprising edge representations with a time of communication within a given time period in the plurality of time periods; obtaining an indication of at least one computing device within the plurality of computing devices that is associated with anomalous behavior and a time said anomalous behavior is detected; identifying an indexed time period representation associated with the time said anomalous behavior is detected; and starting from said identified indexed time period representation, processing the plurality of indexed time period representations to determine at least one further computing device within the plurality of computing devices that is also associated with the anomalous behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus for analyzing network data comprising:
-
a data interface to obtain network data from an accessible data storage device; a data storage device to store a graph data structure, the graph data structure comprising node representations coupled by edge representations; a graph constructor to process the network data obtained via the data interface and to construct the graph data structure, the graph constructor being configured to represent computing devices indicated in the network data as nodes of the graph data structure and to represent communications between computing devices indicated in the network data as edges of the graph data structure, wherein the graph constructor is further configured to store representations of the graph data structure over time by associating a time of communication between computing devices with each edge in the graph data structure; a graph indexer to index time period representations of the graph data structure, each time period representation comprising edges with a time of communication within a given time period; and a network security analyzer to obtain an indication of at least one computing device and a time that are associated with a security incident and to process the time period representations of the graph data structure from the graph indexer, starting from a time period representation associated with the obtained time, to determine at least one further computing device associated with the security incident. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium comprising a set of computer-readable instructions stored thereon which, when executed by at least one processor, cause the at least one processor to:
-
obtain network data indicative of communications between a plurality of computing devices across at least one network within a particular time period, the network data comprising, for each communication, a timestamp, a network identifier of a sending device and a network identifier of a receiving device; process the network data to update a dynamic graph data structure to include the particular time period, the dynamic graph data structure representing a plurality of nodes coupled by edges, wherein each edge has an associated timestamp, including causing the at least one processor to, for each communication in the network data; associate the network identifiers of the sending device and the receiving device with respective representations of nodes in the dynamic graph data structure, generate a representation of an edge associated with said representations of nodes and set the associated timestamp of the edge to the timestamp of the communication; update a set of time-series metrics for the dynamic graph data structure to include the particular time period; obtain an indication of at least one computing device within the plurality of computing devices that exhibits a presence of malicious computer program code; and identify, using the set of time-series metrics and the indication of the at least one computing device, at least one further computing device within the plurality of computing devices that is deemed associated with the presence of malicious computer program code.
-
Specification