Systems and methods for using event-correlation graphs to generate remediation procedures
First Claim
1. A computer-implemented method for using event-correlation graphs to generate remediation procedures, at least a portion of the method being performed by at least one computing device comprising at least one processor, the method comprising:
- detecting, by the at least one computing device, a suspicious event involving a first actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious;
constructing, by the at least one computing device in response to detecting the suspicious event involving the first actor, an event-correlation graph, wherein;
the event-correlation graph comprises at least;
a first node that represents the first actor;
a second node that represents a second actor; and
an edge that interconnects the first node and the second node and represents an additional suspicious event involving the first actor and the second actor;
each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious;
calculating, by the at least one computing device based at least in part on the additional suspicious event involving the first actor and the second actor, an attack score for the event-correlation graph;
determining that the attack score is greater than a predetermined threshold;
determining, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event comprises an attack on the computing system;
using the event-correlation graph to generate a procedure for remediating an effect of the attack on the computing system.
6 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for using event-correlation graphs to generate remediation procedures may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing, in response to detecting the suspicious event involving the first actor, an event-correlation graph that includes (i) a first node that represents the first actor, (ii) a second node that represents a second actor, and (iii) an edge that interconnects the first node and the second node and represents an additional suspicious event involving the first actor and the second actor, and (3) using the event-correlation graph to generate a procedure for remediating an effect of an attack on the computing system that is reflected in the event-correlation graph. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
20 Claims
-
1. A computer-implemented method for using event-correlation graphs to generate remediation procedures, at least a portion of the method being performed by at least one computing device comprising at least one processor, the method comprising:
-
detecting, by the at least one computing device, a suspicious event involving a first actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious; constructing, by the at least one computing device in response to detecting the suspicious event involving the first actor, an event-correlation graph, wherein; the event-correlation graph comprises at least; a first node that represents the first actor; a second node that represents a second actor; and an edge that interconnects the first node and the second node and represents an additional suspicious event involving the first actor and the second actor; each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious; calculating, by the at least one computing device based at least in part on the additional suspicious event involving the first actor and the second actor, an attack score for the event-correlation graph; determining that the attack score is greater than a predetermined threshold; determining, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event comprises an attack on the computing system; using the event-correlation graph to generate a procedure for remediating an effect of the attack on the computing system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for using event-correlation graphs to generate remediation procedures, the system comprising:
-
a detecting module, stored in memory, that detects a suspicious event involving a first actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious; a constructing module, stored in memory, that; constructs, in response to detecting the suspicious event involving the first actor, an event-correlation graph, wherein; the event-correlation graph comprises at least; a first node that represents the first actor; a second node that represents a second actor; and an edge that interconnects the first node and the second node and represents an additional suspicious event involving the first actor and the second actor; each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious; calculates, based at least in part on the additional suspicious event involving the first actor and the second actor, an attack score for the event-correlation graph; determines that the attack score is greater than a predetermined threshold; determines, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event comprises an attack on the computing system; a remediating module, stored in memory, that uses the event-correlation graph to generate a procedure for remediating an effect of the attack on the computing system; at least one processor that executes the detecting module, the constructing module, and the remediating module. - View Dependent Claims (17, 18, 19)
-
-
20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
detect a suspicious event involving a first actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious; construct, in response to detecting the suspicious event involving the first actor, an event-correlation graph, wherein; the event-correlation graph comprises at least; a first node that represents the first actor; a second node that represents a second actor; and an edge that interconnects the first node and the second node and represents an additional suspicious event involving the first actor and the second actor; each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious; calculate, based at least in part on the additional suspicious event involving the first actor and the second actor, an attack score for the event-correlation graph; determine that the attack score is greater than a predetermined threshold; determine, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event comprises an attack on the computing system; use the event-correlation graph to generate a procedure for remediating an effect of the attack on the computing system.
-
Specification