LATERAL MOVEMENT DETECTION THROUGH GRAPH-BASED CANDIDATE SELECTION
First Claim
1. A method, comprising:
- accessing, by a computer system, event data indicative of events related to a plurality of entities associated with a network;
identifying, by the computer system, based on the event data, lateral movement candidate entities by identifying a subset of the plurality of entities as being associated with particular events that indicate lateral movement in the network;
creating, by the computer system, based on the event data, a graph data structure that is indicative of a sequence of events associated with the lateral movement candidate entities; and
analyzing, by the computer system, the graph data structure to identify a potential security threat by identifying a subset of the lateral movement candidate entities that are associated with a particular sequence of events.
1 Assignment
0 Petitions
Accused Products
Abstract
A lateral movement application identifies lateral movement (LM) candidates that potentially represent a security threat. Security platforms generate event data when performing security-related functions, such as authenticating a user account. The disclosed technology enables greatly increased accuracy identification of lateral movement (LM) candidates by, for example, refining a population of LM candidates based on an analysis of a time constrained graph in which nodes represent entities, and edges between nodes represent a time sequence of login or other association activities between the entities. The graph is created based on an analysis of the event data, including time sequences of the event data.
72 Citations
30 Claims
-
1. A method, comprising:
-
accessing, by a computer system, event data indicative of events related to a plurality of entities associated with a network; identifying, by the computer system, based on the event data, lateral movement candidate entities by identifying a subset of the plurality of entities as being associated with particular events that indicate lateral movement in the network; creating, by the computer system, based on the event data, a graph data structure that is indicative of a sequence of events associated with the lateral movement candidate entities; and analyzing, by the computer system, the graph data structure to identify a potential security threat by identifying a subset of the lateral movement candidate entities that are associated with a particular sequence of events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A computing device, comprising:
-
a processor; and a memory storing instructions that, when executed by the processor, cause the processor to perform a process including; accessing event data indicative of events related to a plurality of entities associated with a network; identifying, based on the event data, lateral movement candidate entities by identifying a subset of the plurality of entities as being associated with particular events that indicate lateral movement in the network; creating, based on the event data, a graph data structure that is indicative of a sequence of events associated with the lateral movement candidate entities; and analyzing, the graph data structure to identify a potential security threat by identifying a subset of the lateral movement candidate entities that are associated with a particular sequence of events.
-
-
30. A non-transitory machine-readable storage medium storing instructions which, when executed by at least one processor, cause the at least one processor to perform operations, comprising:
-
accessing event data indicative of events related to a plurality of entities associated with a network; identifying, based on the event data, lateral movement candidate entities by identifying a subset of the plurality of entities as being associated with particular events that indicate lateral movement in the network; creating, based on the event data, a graph data structure that is indicative of a sequence of events associated with the lateral movement candidate entities; and analyzing, the graph data structure to identify a potential security threat by identifying a subset of the lateral movement candidate entities that are associated with a particular sequence of events
-
Specification