LATERAL MOVEMENT DETECTION THROUGH GRAPH-BASED CANDIDATE SELECTION
First Claim
1. A method, comprising:
- accessing, by a computer system, event data indicative of events related to a plurality of entities associated with a network;
identifying, by the computer system, based on the event data, lateral movement candidate entities by identifying a subset of the plurality of entities as being associated with particular events that indicate lateral movement in the network;
creating, by the computer system, based on the event data, a graph data structure that is indicative of a sequence of events associated with the lateral movement candidate entities; and
analyzing, by the computer system, the graph data structure to identify a potential security threat by identifying a subset of the lateral movement candidate entities that are associated with a particular sequence of events.
1 Assignment
0 Petitions
Accused Products
Abstract
A lateral movement application identifies lateral movement (LM) candidates that potentially represent a security threat. Security platforms generate event data when performing security-related functions, such as authenticating a user account. The disclosed technology enables greatly increased accuracy identification of lateral movement (LM) candidates by, for example, refining a population of LM candidates based on an analysis of a time constrained graph in which nodes represent entities, and edges between nodes represent a time sequence of login or other association activities between the entities. The graph is created based on an analysis of the event data, including time sequences of the event data.
-
Citations
30 Claims
-
1. A method, comprising:
-
accessing, by a computer system, event data indicative of events related to a plurality of entities associated with a network; identifying, by the computer system, based on the event data, lateral movement candidate entities by identifying a subset of the plurality of entities as being associated with particular events that indicate lateral movement in the network; creating, by the computer system, based on the event data, a graph data structure that is indicative of a sequence of events associated with the lateral movement candidate entities; and analyzing, by the computer system, the graph data structure to identify a potential security threat by identifying a subset of the lateral movement candidate entities that are associated with a particular sequence of events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A computing device, comprising:
-
a processor; and a memory storing instructions that, when executed by the processor, cause the processor to perform a process including; accessing event data indicative of events related to a plurality of entities associated with a network; identifying, based on the event data, lateral movement candidate entities by identifying a subset of the plurality of entities as being associated with particular events that indicate lateral movement in the network; creating, based on the event data, a graph data structure that is indicative of a sequence of events associated with the lateral movement candidate entities; and analyzing, the graph data structure to identify a potential security threat by identifying a subset of the lateral movement candidate entities that are associated with a particular sequence of events.
-
-
30. A non-transitory machine-readable storage medium storing instructions which, when executed by at least one processor, cause the at least one processor to perform operations, comprising:
-
accessing event data indicative of events related to a plurality of entities associated with a network; identifying, based on the event data, lateral movement candidate entities by identifying a subset of the plurality of entities as being associated with particular events that indicate lateral movement in the network; creating, based on the event data, a graph data structure that is indicative of a sequence of events associated with the lateral movement candidate entities; and analyzing, the graph data structure to identify a potential security threat by identifying a subset of the lateral movement candidate entities that are associated with a particular sequence of events
-
Specification