Systems and methods for detecting online attacks
First Claim
Patent Images
1. A computer-implemented method, comprising:
- detecting a plurality of events based on an analysis of a data stream by identifying the plurality of events as being associated with users on a social graph, the social graph comprising a plurality of social graph nodes and social graph edges and each of the plurality of events having a type, to receive one or more indicators of an online attack;
analyzing propagation of the plurality of events by, for each type of the plurality of events, generating at least one directed acyclic graph (DAG) comprising a plurality of DAG nodes and DAG edges, where each DAG node on the DAG represents a corresponding social graph node on the social graph where a subset of events of the plurality of events having a particular type occur and each of the DAG edges of the DAG represents a propagation of each event of the subset of events of the particular type from a first social graph node to a second social graph node, and assessing a confidence level that the plurality of events are online attack events;
performing a cluster analysis comprising analysis of pairs of the plurality of events that have been graphed on the DAG as having been propagated, wherein the cluster analysis is repeated for each type of the plurality of events and one or more timings of the plurality of events; and
providing an updated confidence level associated with the plurality of events being the online attack events based on the cluster analysis,wherein an identity of an online attacker associated with the online attack events is further associated with the social graph.
2 Assignments
0 Petitions
Accused Products
Abstract
Detecting online attacks is described, including identifying one or more events associated with users on a social graph. For each type of event of the one or more events, generating at least one directed acyclic graph (DAG), where each node on the DAG represents a node on the social graph where an event of the type occurs and each edge on the DAG represents a propagation of the event from a first node of the edge to a second node of the edge.
60 Citations
18 Claims
-
1. A computer-implemented method, comprising:
-
detecting a plurality of events based on an analysis of a data stream by identifying the plurality of events as being associated with users on a social graph, the social graph comprising a plurality of social graph nodes and social graph edges and each of the plurality of events having a type, to receive one or more indicators of an online attack; analyzing propagation of the plurality of events by, for each type of the plurality of events, generating at least one directed acyclic graph (DAG) comprising a plurality of DAG nodes and DAG edges, where each DAG node on the DAG represents a corresponding social graph node on the social graph where a subset of events of the plurality of events having a particular type occur and each of the DAG edges of the DAG represents a propagation of each event of the subset of events of the particular type from a first social graph node to a second social graph node, and assessing a confidence level that the plurality of events are online attack events; performing a cluster analysis comprising analysis of pairs of the plurality of events that have been graphed on the DAG as having been propagated, wherein the cluster analysis is repeated for each type of the plurality of events and one or more timings of the plurality of events; and providing an updated confidence level associated with the plurality of events being the online attack events based on the cluster analysis, wherein an identity of an online attacker associated with the online attack events is further associated with the social graph. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. At least one computing device comprising non-transitory storage and a hardware processor configured to perform:
-
detecting a plurality of events based on an analysis of a data stream by identifying the plurality of events as being associated with users on a social graph, the social graph comprising a plurality of social graph nodes and social graph edges and each of the plurality of events having a type, to receive one or more indicators of an online attack; analyzing propagation of the plurality of events by, for each type of the plurality of events, generating at least one directed acyclic graph (DAG) comprising a plurality of DAG nodes and DAG edges, where each DAG node on the DAG represents a corresponding social graph node on the social graph where a subset of events of the plurality of events having a particular type occur and each of the DAG edges of the DAG represents a propagation of each event of the subset of events of the particular type from a first social graph node to a second social graph node, and assessing a confidence level that the plurality of events are online attack events; performing a cluster analysis comprising analysis of pairs of the plurality of events that have been graphed on the DAG as having been propagated, wherein the cluster analysis is repeated for each type of the plurality of events and one or more timings of the plurality of events; and providing an updated confidence level associated with the plurality of events being the online attack events based on the cluster analysis, wherein an identity of an online attacker associated with the online attack events is further associated with the social graph. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A non-transitory computer readable medium having stored therein computer executable instructions for:
-
(a) detecting an event of a plurality of events that is associated with a first user, each of the plurality of events having a type; (b) determining that the first user is associated with a first social graph node on a social graph; (c) adding a directed acyclic graph (DAG) node to a DAG corresponding to the first social graph node on the social graph; (d) assigning the DAG node on the DAG as a current node; (e) determining that the event occurs at a time T1; (f) identifying at least one or more second users associated with at least one second social graph node adjacent to the first social graph node on the social graph corresponding with the current node; (g) determining if the one or more second users are associated with an occurrence of another event having a same type as the event associated with the first user and for each of the determined one or more second users; (g1) adding a second DAG node to the DAG corresponding to the at least one second social graph node on the social graph, the added second DAG node being considered as one new node; (g2) determining that the another event having the same type as the event associated with the first user occurs at a time T2; and (g3) adding a directed edge between the current node and the one new node to indicate propagation of the another event with the directed edge pointing to the current node if T1 is later than T2 or pointing to the one new node if T2 is later than T1; (h) storing the DAG; (i) assessing a confidence level that the plurality of events are online attack events based on the DAG; (j) performing a cluster analysis comprising analysis of pairs of the plurality of events that have been graphed on the DAG as having been propagated, wherein the cluster analysis is repeated for each type of the plurality of events and one or more timings of the plurality of events; and (k) providing an updated confidence level associated with the plurality of events being the online attack events based on the cluster analysis. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification