Systems and methods for adjusting suspiciousness scores in event-correlation graphs

US 9,148,441 B1
Filed: 12/23/2013
Issued: 09/29/2015
Est. Priority Date: 12/23/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for adjusting suspiciousness scores in event-correlation graphs, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

detecting a suspicious event involving a first actor and a second actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious;

constructing, after the suspicious event involving the first actor and the second actor is detected, an event-correlation graph, wherein the event-correlation graph comprises at least;

a representation of the first actor;

a representation of the suspicious event, wherein the representation of the suspicious event and the representation of the first actor are interconnected;

a representation of the second actor, wherein the representation of the second actor and the representation of the suspicious event are interconnected;

a representation of an additional suspicious event involving the first actor and an additional actor;

a representation of the additional actor, wherein;

the representation of the first actor and the representation of the additional suspicious event are interconnected;

the representation of the additional actor and the representation of the additional suspicious event are interconnected;

the additional suspicious event could not be individually classified as definitively malicious;

each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious;

adjusting a suspiciousness score associated with at least one of an actor represented in the event-correlation graph and a suspicious event represented in the event-correlation graph based at least in part on a suspiciousness score associated with at least one other actor or suspicious event represented in the event-correlation graph such that the adjusted suspiciousness score is influenced by the suspiciousness score associated with the at least one other actor or suspicious event.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for adjusting suspiciousness scores in event-correlation graphs may include (1) detecting a suspicious event involving a first actor and a second actor within a computing system, (2) constructing an event-correlation graph that includes (i) a representation of the first actor, (ii) a representation of the suspicious event, and (iii) a representation of the second actor, and (3) adjusting a suspiciousness score associated with at least one representation in the event-correlation graph based at least in part on a suspiciousness score associated with at least one other representation in the event-correlation graph such that the adjusted suspiciousness score associated with the at least one representation is influenced by the suspicious event. Various other methods, systems, and computer-readable media are also disclosed.

63 Citations

View as Search Results

20 Claims

1. A computer-implemented method for adjusting suspiciousness scores in event-correlation graphs, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- detecting a suspicious event involving a first actor and a second actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious;
  
  constructing, after the suspicious event involving the first actor and the second actor is detected, an event-correlation graph, wherein the event-correlation graph comprises at least;
  
  a representation of the first actor;
  
  a representation of the suspicious event, wherein the representation of the suspicious event and the representation of the first actor are interconnected;
  
  a representation of the second actor, wherein the representation of the second actor and the representation of the suspicious event are interconnected;
  
  a representation of an additional suspicious event involving the first actor and an additional actor;
  
  a representation of the additional actor, wherein;
  
  the representation of the first actor and the representation of the additional suspicious event are interconnected;
  
  the representation of the additional actor and the representation of the additional suspicious event are interconnected;
  
  the additional suspicious event could not be individually classified as definitively malicious;
  
  each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious;
  
  adjusting a suspiciousness score associated with at least one of an actor represented in the event-correlation graph and a suspicious event represented in the event-correlation graph based at least in part on a suspiciousness score associated with at least one other actor or suspicious event represented in the event-correlation graph such that the adjusted suspiciousness score is influenced by the suspiciousness score associated with the at least one other actor or suspicious event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computer-implemented method of claim 1, wherein:
    - the representation of the first actor is associated with a suspiciousness score of the first actor that indicates a likelihood that the first actor is malicious;
      
      the representation of the suspicious event is associated with a suspiciousness score of the suspicious event that indicates a likelihood that the suspicious event is malicious;
      
      the representation of the second actor is associated with a suspiciousness score of the second actor that indicates a likelihood that the second actor is malicious.
  - 3. The computer-implemented method of claim 1, wherein:
    - the representation of the first actor comprises a first node;
      
      the representation of the suspicious event comprises a second node;
      
      the representation of the second actor comprises a third node;
      
      the first node and the second node are interconnected by a first edge;
      
      the second node and the third node are interconnected by a second edge.
  - 4. The computer-implemented method of claim 3, wherein adjusting the suspiciousness score comprises:
    - determining a prior probability distribution for each node in the event-correlation graph based at least in part on the suspiciousness score associated with the node for which the prior probability distribution is determined;
      
      iteratively propagating a probability among the nodes in the event-correlation graph that indicates whether the actor or suspicious event represented by the node is malicious by transmitting messages along the edges in the event-correlation graph, wherein a message transmitted by a transmitting node is generated based at least in part on the prior probability distribution of the transmitting node and messages received by the transmitting node from other nodes in the event-correlation graph during any previous iterations;
      
      adjusting the suspiciousness score associated with the node based at least in part on the probability that indicates whether the actor or suspicious event represented by the node is malicious.
  - 5. The computer-implemented method of claim 4, further comprisingdetermining an edge potential for each edge in the event-correlation graph based at least in part on at least one of:
    - a probability that a malicious actor exists within a computing environment within which malware is prevented;
      
      a probability that a benign actor exists within the computing environment within which malware is prevented;
      
      a probability that a malicious event occurs within the computing environment within which malware is prevented;
      
      a probability that a benign event occurs within the computing environment within which malware is prevented;
      
      a probability that a malicious actor exists within a computing environment within which malware is not prevented;
      
      a probability that a benign actor exists within the computing environment within which malware is not prevented;
      
      a probability that a malicious event occurs within the computing environment within which malware is not prevented;
      
      a probability that a benign event occurs within the computing environment within which malware is not prevented, wherein the message transmitted by the transmitting node is generated based at least in part on the edge potential of the edge in the event-correlation graph along which the transmitting node transmits the message.
  - 6. The computer-implemented method of claim 1, wherein adjusting the suspiciousness score comprises applying a belief-propagation algorithm to the event-correlation graph.
  - 7. The computer-implemented method of claim 1, further comprising:
    - calculating, based at least in part on the adjusted suspiciousness score, an attack score for the event-correlation graph;
      
      determining that the attack score is greater than a predetermined threshold;
      
      determining, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event comprises an attack on the computing system;
      
      reporting the attack on the computing system.
  - 8. The computer-implemented method of claim 7, wherein reporting the attack on the computing system comprises:
    - determining, based at least in part on the adjusted suspiciousness score, that the actor or the suspicious event associated with the adjusted suspiciousness score was a significant factor in the attack on the computing system;
      
      emphasizing the actor or the suspicious event associated with the adjusted suspiciousness score based at least in part on the actor or the suspicious event associated with the adjusted suspiciousness score having been a significant factor in the attack on the computing system.
  - 9. The computer-implemented method of claim 8, wherein determining that the actor or the suspicious event associated with the adjusted suspiciousness score was a significant factor in the attack on the computing system comprises determining that the adjusted suspiciousness score was adjusted by more than an additional predetermined threshold.
  - 10. The computer-implemented method of claim 7, wherein reporting the attack on the computing system comprises:
    - determining, based at least in part on the adjusted suspiciousness score associated with the at least one representation, that the actor or the suspicious event associated with the adjusted suspiciousness score was not a significant factor in the attack on the computing system;
      
      de-emphasizing the actor or the suspicious event associated with the adjusted suspiciousness score based at least in part on the actor or the suspicious event associated with the adjusted suspiciousness score not having been a significant factor in the attack on the computing system.
  - 11. The computer-implemented method of claim 1, wherein adjusting the suspiciousness score comprises applying a heat-diffusion algorithm to the event-correlation graph.
  - 12. The computer-implemented method of claim 1, wherein adjusting the suspiciousness score comprises applying a label-propagation algorithm to the event-correlation graph.
  - 13. The computer-implemented method of claim 1, wherein constructing the event-correlation graph comprises, for each actor represented within the event-correlation graph:
    - identifying a set of events that involve the actor and at least one other actor;
      
      for each event within the set of events;
      
      adding a representation of the other actor to the event-correlation graph;
      
      adding a representation of the event to the event-correlation graph, wherein;
      
      the representation of the actor and the representation of the event are interconnected;
      
      the representation of the event and the representation of the other actor are interconnected.
  - 14. The computer-implemented method of claim 13, wherein the set of events comprises a set of suspicious events.

15. A system for adjusting suspiciousness scores in event-correlation graphs, the system comprising:
- a detecting module, stored in memory, that detects a suspicious event involving a first actor and a second actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious;
  
  a constructing module, stored in memory, that constructs, after the suspicious event involving the first actor and the second actor is detected, an event-correlation graph, wherein the event-correlation graph comprises at least;
  
  a representation of the first actor;
  
  a representation of the suspicious event, wherein the representation of the suspicious event and the representation of the first actor are interconnected;
  
  a representation of the second actor, wherein the representation of the second actor and the representation of the suspicious event are interconnected;
  
  a representation of an additional suspicious event involving the first actor and an additional actor;
  
  a representation of the additional actor, wherein;
  
  the representation of the first actor and the representation of the additional suspicious event are interconnected;
  
  the representation of the additional actor and the representation of the additional suspicious event are interconnected;
  
  the additional suspicious event could not be individually classified as definitively malicious;
  
  each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious;
  
  an adjusting module, stored in memory, that adjusts a suspiciousness score associated with at least one of an actor represented in the event-correlation graph and a suspicious event represented in the event-correlation graph based at least in part on a suspiciousness score associated with at least one other actor or suspicious event represented in the event-correlation graph such that the adjusted suspiciousness score is influenced by the suspiciousness score associated with the at least one other actor or suspicious event;
  
  at least one physical processor that executes the detecting module, the constructing module, and the adjusting module.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The system of claim 15, wherein:
    - the representation of the first actor is associated with a suspiciousness score of the first actor that indicates a likelihood that the first actor is malicious;
      
      the representation of the suspicious event is associated with a suspiciousness score of the suspicious event that indicates a likelihood that the suspicious event is malicious;
      
      the representation of the second actor is associated with a suspiciousness score of the second actor that indicates a likelihood that the second actor is malicious.
  - 17. The system of claim 15, wherein:
    - the representation of the first actor comprises a first node;
      
      the representation of the suspicious event comprises a second node;
      
      the representation of the second actor comprises a third node;
      
      the first node and the second node are interconnected by a first edge;
      
      the second node and the third node are interconnected by a second edge.
  - 18. The system of claim 17, wherein the adjusting module adjusts the suspiciousness score by:
    - determining a prior probability distribution for each node in the event-correlation graph based at least in part on the suspiciousness score associated with the node for which the prior probability distribution is determined;
      
      iteratively propagating a probability among the nodes in the event-correlation graph that indicates whether the actor or suspicious event represented by the node is malicious by transmitting messages along the edges in the event-correlation graph, wherein a message transmitted by a transmitting node is generated based at least in part on the prior probability distribution of the transmitting node and messages received by the transmitting node from other nodes in the event-correlation graph during any previous iterations;
      
      adjusting the suspiciousness score associated with the node based at least in part on the probability that indicates whether the actor or suspicious event represented by the node is malicious.
  - 19. The system of claim 15, wherein the adjusting module adjusts the suspiciousness score by applying a belief-propagation algorithm to the event-correlation graph.

20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- detect a suspicious event involving a first actor and a second actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious;
  
  construct, after the suspicious event involving the first actor and the second actor is detected, an event-correlation graph, wherein the event-correlation graph comprises at least;
  
  a representation of the first actor;
  
  a representation of the suspicious event, wherein the representation of the suspicious event and the representation of the first actor are interconnected;
  
  a representation of the second actor, wherein the representation of the second actor and the representation of the suspicious event are interconnected;
  
  a representation of an additional suspicious event involving the first actor and an additional actor;
  
  a representation of the additional actor, wherein;
  
  the representation of the first actor and the representation of the additional suspicious event are interconnected;
  
  the representation of the additional actor and the representation of the additional suspicious event are interconnected;
  
  the additional suspicious event could not be individually classified as definitively malicious;
  
  each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious;
  
  adjust a suspiciousness score associated with at least one of an actor represented in the event-correlation graph and a suspicious event represented in the event-correlation graph based at least in part on a suspiciousness score associated with at least one other actor or suspicious event represented in the event-correlation graph such that the adjusted suspiciousness score is influenced by the suspiciousness score associated with the at least one other actor or suspicious event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Tamersoy, Acar, Roundy, Kevin, Bhatkar, Sandeep, Khalil, Elias
Primary Examiner(s)
Ho, Dao

Application Number

US14/138,891
Time in Patent Office

645 Days
Field of Search

726/23, 726/25
US Class Current

1/1
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Systems and methods for adjusting suspiciousness scores in event-correlation graphs

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for adjusting suspiciousness scores in event-correlation graphs

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links