DETECTING MALICIOUS LATERAL MOVEMENT ACROSS A COMPUTER NETWORK
First Claim
1. A method for detecting malicious computers in a computer network, the method comprising:
- generating a graph representing the computer network, the graph comprising nodes that represent computers and user accounts, and edges that represent computer connections and user logon events;
determining a weight of each of the plurality of edges in the graph;
determining a path-rate score for a plurality of paths in the graph using the weight of each of the plurality of edges;
ranking the plurality of paths based on the path-rate score for each of the plurality of paths; and
identifying the malicious computers in the computer network based on the ranking.
1 Assignment
0 Petitions
Accused Products
Abstract
Graph-based detection systems and techniques are provided to identify potential malicious lateral movement paths. System and security events may be used to generate a network connection graph and detect remote file executions and/or other detections, for use in tracking malicious lateral movement across a computer network, such as a compromised computer network. Lateral movement determination across a computer network may be divided into two subproblems: forensic analysis and general detection. With forensic analysis, given a malicious node, possible lateral movement leading into or out of the node is identified. General detection identifies previously unknown malicious lateral movement on a network using a remote file execution detector, and/or other detectors, and a rare path anomaly detection algorithm.
97 Citations
20 Claims
-
1. A method for detecting malicious computers in a computer network, the method comprising:
-
generating a graph representing the computer network, the graph comprising nodes that represent computers and user accounts, and edges that represent computer connections and user logon events; determining a weight of each of the plurality of edges in the graph; determining a path-rate score for a plurality of paths in the graph using the weight of each of the plurality of edges; ranking the plurality of paths based on the path-rate score for each of the plurality of paths; and identifying the malicious computers in the computer network based on the ranking. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for detecting malicious computers in a computer network, the system comprising:
-
a remote file execution detector configured to detect at least one remote file execution event; a network graph construction module configured to generate a graph representing the computer network, the graph comprising nodes that represent computers and user accounts, and edges that represent computer connections and user logon events; a path-rate score module configured to determine a path-rate score for a plurality of paths in the graph; a general detection module configured to process the graph using the at least one remote file execution event and the path-rate score; a forensic analysis module configured to process the graph using a compromised computer and account list and the path-rate score; and a ranking module configured to rank the plurality of paths based on at least one of a result from the general detection module or a result from the forensic analysis module, and output results of the ranking. - View Dependent Claims (14, 15, 16)
-
-
13. The system of 12, further comprising an automatic account disabling module configured to disable at least one of a malicious computer or a malicious user account responsive to the results of the ranking.
-
17. A method for detecting malicious computers in a computer network, the method comprising:
-
receiving, at a forensic analysis module of a computing device, an identification of a compromised node on a network connection graph corresponding to the computer network, the compromised node indicating a malicious computer or account on the computer network; receiving, at the forensic analysis module of the computing device, a path-rate score for a plurality of paths in the network connection graph, each of the plurality of paths comprising the malicious node and at least one other node of the network connection graph; and identifying, at the forensic analysis module of the computing device, lateral movement on the computer network using the identification of the compromised node and the path-rate score for the plurality of paths in the network connection graph. - View Dependent Claims (18, 19, 20)
-
Specification