DETECTING MALICIOUS LATERAL MOVEMENT ACROSS A COMPUTER NETWORK

US 20180367548A1
Filed: 06/14/2017
Published: 12/20/2018
Est. Priority Date: 06/14/2017
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious computers in a computer network, the method comprising:

generating a graph representing the computer network, the graph comprising nodes that represent computers and user accounts, and edges that represent computer connections and user logon events;

determining a weight of each of the plurality of edges in the graph;

determining a path-rate score for a plurality of paths in the graph using the weight of each of the plurality of edges;

ranking the plurality of paths based on the path-rate score for each of the plurality of paths; and

identifying the malicious computers in the computer network based on the ranking.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Graph-based detection systems and techniques are provided to identify potential malicious lateral movement paths. System and security events may be used to generate a network connection graph and detect remote file executions and/or other detections, for use in tracking malicious lateral movement across a computer network, such as a compromised computer network. Lateral movement determination across a computer network may be divided into two subproblems: forensic analysis and general detection. With forensic analysis, given a malicious node, possible lateral movement leading into or out of the node is identified. General detection identifies previously unknown malicious lateral movement on a network using a remote file execution detector, and/or other detectors, and a rare path anomaly detection algorithm.

97 Citations

View as Search Results

20 Claims

1. A method for detecting malicious computers in a computer network, the method comprising:
- generating a graph representing the computer network, the graph comprising nodes that represent computers and user accounts, and edges that represent computer connections and user logon events;
  
  determining a weight of each of the plurality of edges in the graph;
  
  determining a path-rate score for a plurality of paths in the graph using the weight of each of the plurality of edges;
  
  ranking the plurality of paths based on the path-rate score for each of the plurality of paths; and
  
  identifying the malicious computers in the computer network based on the ranking.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising filtering a plurality of the nodes from the graph, prior to determining the path-rate score for the plurality of paths in the graph.
  - 3. The method of claim 2, further comprising filtering at least one of the plurality of the paths from the graph prior to determining the path-rate score.
  - 4. The method of claim 1, wherein determining the path-rate score for the plurality of paths in the graph comprises computing the path-rate score for each path along a rare path in the graph.
  - 5. The method of claim 1, further comprising eliminating infeasible paths from the graph.
  - 6. The method of claim 1, further comprising eliminating paths outside a threshold amount of time from the graph.
  - 7. The method of claim 1, further comprising disabling the identified malicious computers.
  - 8. The method of claim 1, further comprising identifying a malicious user account in the computer network based on the ranking, and disabling the malicious user account.
  - 9. The method of claim 1, wherein the plurality of paths comprise 1-hop paths and 2-hop paths.
  - 10. The method of claim 1, further comprising performing forensic analysis on the graph, wherein ranking the plurality of paths is further based on a result of the forensic analysis.
  - 11. The method of claim 1, further comprising performing general detection on the graph, wherein ranking the plurality of paths is further based on a result of the general detection.

12. A system for detecting malicious computers in a computer network, the system comprising:
- a remote file execution detector configured to detect at least one remote file execution event;
  
  a network graph construction module configured to generate a graph representing the computer network, the graph comprising nodes that represent computers and user accounts, and edges that represent computer connections and user logon events;
  
  a path-rate score module configured to determine a path-rate score for a plurality of paths in the graph;
  
  a general detection module configured to process the graph using the at least one remote file execution event and the path-rate score;
  
  a forensic analysis module configured to process the graph using a compromised computer and account list and the path-rate score; and
  
  a ranking module configured to rank the plurality of paths based on at least one of a result from the general detection module or a result from the forensic analysis module, and output results of the ranking.
- View Dependent Claims (14, 15, 16)
- - 14. The system of claim 12, wherein the remote file execution detector is configured to detect the least one remote file execution event from at least one computing device of the computer network.
  - 15. The system of claim 12, wherein the ranking module is configured to identify at least one of a malicious computer or a malicious user account in the computer network based on the ranking.
  - 16. The system of claim 12, wherein the plurality of paths comprises 1-hop paths and 2-hop paths.

13. The system of 12, further comprising an automatic account disabling module configured to disable at least one of a malicious computer or a malicious user account responsive to the results of the ranking.

17. A method for detecting malicious computers in a computer network, the method comprising:
- receiving, at a forensic analysis module of a computing device, an identification of a compromised node on a network connection graph corresponding to the computer network, the compromised node indicating a malicious computer or account on the computer network;
  
  receiving, at the forensic analysis module of the computing device, a path-rate score for a plurality of paths in the network connection graph, each of the plurality of paths comprising the malicious node and at least one other node of the network connection graph; and
  
  identifying, at the forensic analysis module of the computing device, lateral movement on the computer network using the identification of the compromised node and the path-rate score for the plurality of paths in the network connection graph.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein identifying lateral movement comprises identifying lateral movement into the compromised node.
  - 19. The method of claim 17, wherein identifying lateral movement comprises identifying lateral movement out of the compromised node.
  - 20. The method of claim 17, wherein identifying lateral movement comprises using 1-hop connections with the compromised node and using 2-hop connections with the compromised node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
STOKES, III, Jack Wilson, MEAD, Robert James, BURRELL, Tim William, HELLEN, Ian, LAMBERT, John Joseph, CUI, Weidong, MAROCHKO, Andrey, LIU, Qingyun

Granted Patent

US 10,505,954 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 43/045   for graphical visualisation...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

H04L 67/10   in which an application is ...

DETECTING MALICIOUS LATERAL MOVEMENT ACROSS A COMPUTER NETWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

97 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTING MALICIOUS LATERAL MOVEMENT ACROSS A COMPUTER NETWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links