Systems and methods for adjusting suspiciousness scores in event-correlation graphs
First Claim
1. A computer-implemented method for adjusting suspiciousness scores in event-correlation graphs, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- detecting a suspicious event involving a first actor and a second actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious;
constructing, after the suspicious event involving the first actor and the second actor is detected, an event-correlation graph, wherein the event-correlation graph comprises at least;
a representation of the first actor;
a representation of the suspicious event, wherein the representation of the suspicious event and the representation of the first actor are interconnected;
a representation of the second actor, wherein the representation of the second actor and the representation of the suspicious event are interconnected;
a representation of an additional suspicious event involving the first actor and an additional actor;
a representation of the additional actor, wherein;
the representation of the first actor and the representation of the additional suspicious event are interconnected;
the representation of the additional actor and the representation of the additional suspicious event are interconnected;
the additional suspicious event could not be individually classified as definitively malicious;
each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious;
adjusting a suspiciousness score associated with at least one of an actor represented in the event-correlation graph and a suspicious event represented in the event-correlation graph based at least in part on a suspiciousness score associated with at least one other actor or suspicious event represented in the event-correlation graph such that the adjusted suspiciousness score is influenced by the suspiciousness score associated with the at least one other actor or suspicious event.
6 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for adjusting suspiciousness scores in event-correlation graphs may include (1) detecting a suspicious event involving a first actor and a second actor within a computing system, (2) constructing an event-correlation graph that includes (i) a representation of the first actor, (ii) a representation of the suspicious event, and (iii) a representation of the second actor, and (3) adjusting a suspiciousness score associated with at least one representation in the event-correlation graph based at least in part on a suspiciousness score associated with at least one other representation in the event-correlation graph such that the adjusted suspiciousness score associated with the at least one representation is influenced by the suspicious event. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
20 Claims
-
1. A computer-implemented method for adjusting suspiciousness scores in event-correlation graphs, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
detecting a suspicious event involving a first actor and a second actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious; constructing, after the suspicious event involving the first actor and the second actor is detected, an event-correlation graph, wherein the event-correlation graph comprises at least; a representation of the first actor; a representation of the suspicious event, wherein the representation of the suspicious event and the representation of the first actor are interconnected; a representation of the second actor, wherein the representation of the second actor and the representation of the suspicious event are interconnected; a representation of an additional suspicious event involving the first actor and an additional actor; a representation of the additional actor, wherein; the representation of the first actor and the representation of the additional suspicious event are interconnected; the representation of the additional actor and the representation of the additional suspicious event are interconnected; the additional suspicious event could not be individually classified as definitively malicious; each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious; adjusting a suspiciousness score associated with at least one of an actor represented in the event-correlation graph and a suspicious event represented in the event-correlation graph based at least in part on a suspiciousness score associated with at least one other actor or suspicious event represented in the event-correlation graph such that the adjusted suspiciousness score is influenced by the suspiciousness score associated with the at least one other actor or suspicious event. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for adjusting suspiciousness scores in event-correlation graphs, the system comprising:
-
a detecting module, stored in memory, that detects a suspicious event involving a first actor and a second actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious; a constructing module, stored in memory, that constructs, after the suspicious event involving the first actor and the second actor is detected, an event-correlation graph, wherein the event-correlation graph comprises at least; a representation of the first actor; a representation of the suspicious event, wherein the representation of the suspicious event and the representation of the first actor are interconnected; a representation of the second actor, wherein the representation of the second actor and the representation of the suspicious event are interconnected; a representation of an additional suspicious event involving the first actor and an additional actor; a representation of the additional actor, wherein; the representation of the first actor and the representation of the additional suspicious event are interconnected; the representation of the additional actor and the representation of the additional suspicious event are interconnected; the additional suspicious event could not be individually classified as definitively malicious; each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious; an adjusting module, stored in memory, that adjusts a suspiciousness score associated with at least one of an actor represented in the event-correlation graph and a suspicious event represented in the event-correlation graph based at least in part on a suspiciousness score associated with at least one other actor or suspicious event represented in the event-correlation graph such that the adjusted suspiciousness score is influenced by the suspiciousness score associated with the at least one other actor or suspicious event; at least one physical processor that executes the detecting module, the constructing module, and the adjusting module. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
detect a suspicious event involving a first actor and a second actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious; construct, after the suspicious event involving the first actor and the second actor is detected, an event-correlation graph, wherein the event-correlation graph comprises at least; a representation of the first actor; a representation of the suspicious event, wherein the representation of the suspicious event and the representation of the first actor are interconnected; a representation of the second actor, wherein the representation of the second actor and the representation of the suspicious event are interconnected; a representation of an additional suspicious event involving the first actor and an additional actor; a representation of the additional actor, wherein; the representation of the first actor and the representation of the additional suspicious event are interconnected; the representation of the additional actor and the representation of the additional suspicious event are interconnected; the additional suspicious event could not be individually classified as definitively malicious; each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious; adjust a suspiciousness score associated with at least one of an actor represented in the event-correlation graph and a suspicious event represented in the event-correlation graph based at least in part on a suspiciousness score associated with at least one other actor or suspicious event represented in the event-correlation graph such that the adjusted suspiciousness score is influenced by the suspiciousness score associated with the at least one other actor or suspicious event.
-
Specification