Systems and methods for using event-correlation graphs to generate remediation procedures

US 9,256,739 B1
Filed: 03/21/2014
Issued: 02/09/2016
Est. Priority Date: 03/21/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for using event-correlation graphs to generate remediation procedures, at least a portion of the method being performed by at least one computing device comprising at least one processor, the method comprising:

detecting, by the at least one computing device, a suspicious event involving a first actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious;

constructing, by the at least one computing device in response to detecting the suspicious event involving the first actor, an event-correlation graph, wherein;

the event-correlation graph comprises at least;

a first node that represents the first actor;

a second node that represents a second actor; and

an edge that interconnects the first node and the second node and represents an additional suspicious event involving the first actor and the second actor;

each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious;

calculating, by the at least one computing device based at least in part on the additional suspicious event involving the first actor and the second actor, an attack score for the event-correlation graph;

determining that the attack score is greater than a predetermined threshold;

determining, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event comprises an attack on the computing system;

using the event-correlation graph to generate a procedure for remediating an effect of the attack on the computing system.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for using event-correlation graphs to generate remediation procedures may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing, in response to detecting the suspicious event involving the first actor, an event-correlation graph that includes (i) a first node that represents the first actor, (ii) a second node that represents a second actor, and (iii) an edge that interconnects the first node and the second node and represents an additional suspicious event involving the first actor and the second actor, and (3) using the event-correlation graph to generate a procedure for remediating an effect of an attack on the computing system that is reflected in the event-correlation graph. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for using event-correlation graphs to generate remediation procedures, at least a portion of the method being performed by at least one computing device comprising at least one processor, the method comprising:
- detecting, by the at least one computing device, a suspicious event involving a first actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious;
  
  constructing, by the at least one computing device in response to detecting the suspicious event involving the first actor, an event-correlation graph, wherein;
  
  the event-correlation graph comprises at least;
  
  a first node that represents the first actor;
  
  a second node that represents a second actor; and
  
  an edge that interconnects the first node and the second node and represents an additional suspicious event involving the first actor and the second actor;
  
  each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious;
  
  calculating, by the at least one computing device based at least in part on the additional suspicious event involving the first actor and the second actor, an attack score for the event-correlation graph;
  
  determining that the attack score is greater than a predetermined threshold;
  
  determining, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event comprises an attack on the computing system;
  
  using the event-correlation graph to generate a procedure for remediating an effect of the attack on the computing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising recommending the procedure to at least one of:
    - an administrator of the computing system;
      
      a user of the computing system.
  - 3. The method of claim 1, wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises:
    - using the event-correlation graph to determine that security credentials were accessed during the attack;
      
      generating a procedure for resetting the security credentials.
  - 4. The method of claim 1, wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises:
    - using the event-correlation graph to determine that a keylogger was executed on a computing device within the computing system on which security credentials were accessible;
      
      generating a procedure for resetting the security credentials.
  - 5. The method of claim 1, wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises:
    - using the event-correlation graph to determine that a domain controller was infected during the attack;
      
      generating a procedure for resetting security credentials managed by the domain controller.
  - 6. The method of claim 1, wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises:
    - using the event-correlation graph to determine that an actor involved in the attack is external to the computing system;
      
      generating a procedure for adding the external actor to a blacklist.
  - 7. The method of claim 1, wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises:
    - using the event-correlation graph to determine that a benign application was involved in the attack;
      
      generating a procedure for improving the security of the benign application.
  - 8. The method of claim 1, wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises:
    - using the event-correlation graph to determine that a nonessential benign application was involved in the attack;
      
      generating a procedure for reducing use of the nonessential benign application.
  - 9. The method of claim 1, wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises:
    - using the event-correlation graph to determine that a hacking tool was involved in the attack;
      
      generating a procedure for removing the hacking tool.
  - 10. The method of claim 1, wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises:
    - using the event-correlation graph to determine that an actor involved in the attack made modifications to a file system;
      
      generating a procedure for undoing the modifications to the file system.
  - 11. The method of claim 1, wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises:
    - using the event-correlation graph to determine that an actor involved in the attack made modifications to a registry;
      
      generating a procedure for undoing the modifications to the registry.
  - 12. The method of claim 1, wherein using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises:
    - using the event-correlation graph to determine that unencrypted communications occurred during the attack;
      
      notifying an administrator of the unencrypted communications that occurred during the attack.
  - 13. The method of claim 1, wherein:
    - the attack comprises a phishing attack;
      
      using the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system comprises;
      
      using the event-correlation graph to identify at least one user involved in the phishing attack;
      
      performing at least one of;
      
      notifying an administrator of the user involved in the phishing attack;
      
      generating a procedure for educating the user about phishing attacks.
  - 14. The method of claim 1, wherein calculating the attack score for the event-correlation graph comprises:
    - calculating a score for each edge within the event-correlation graph based at least in part on a suspiciousness score associated with the suspicious event represented by the edge;
      
      summing the scores of each edge within the event-correlation graph.
  - 15. The method of claim 1, wherein calculating the attack score for the event-correlation graph comprises:
    - calculating a score for each node within the event-correlation graph based at least in part on a suspiciousness score associated with each suspicious event associated with the node;
      
      summing the scores of each node within the event-correlation graph.

16. A system for using event-correlation graphs to generate remediation procedures, the system comprising:
- a detecting module, stored in memory, that detects a suspicious event involving a first actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious;
  
  a constructing module, stored in memory, that;
  
  constructs, in response to detecting the suspicious event involving the first actor, an event-correlation graph, wherein;
  
  the event-correlation graph comprises at least;
  
  a first node that represents the first actor;
  
  a second node that represents a second actor; and
  
  an edge that interconnects the first node and the second node and represents an additional suspicious event involving the first actor and the second actor;
  
  each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious;
  
  calculates, based at least in part on the additional suspicious event involving the first actor and the second actor, an attack score for the event-correlation graph;
  
  determines that the attack score is greater than a predetermined threshold;
  
  determines, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event comprises an attack on the computing system;
  
  a remediating module, stored in memory, that uses the event-correlation graph to generate a procedure for remediating an effect of the attack on the computing system;
  
  at least one processor that executes the detecting module, the constructing module, and the remediating module.
- View Dependent Claims (17, 18, 19)
- - 17. The system of claim 16, further comprising a recommending module, stored in memory, that recommends the procedure to at least one of:
    - an administrator of the computing system;
      
      a user of the computing system.
  - 18. The system of claim 16, wherein the remediating module uses the event-correlation graph to generate the procedure for remediating the effect of the attack on the computing system by:
    - using the event-correlation graph to determine that security credentials were accessed during the attack;
      
      generating a procedure for resetting the security credentials.
  - 19. The system of claim 16, wherein the computing system comprises a live production system.

20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- detect a suspicious event involving a first actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious;
  
  construct, in response to detecting the suspicious event involving the first actor, an event-correlation graph, wherein;
  
  the event-correlation graph comprises at least;
  
  a first node that represents the first actor;
  
  a second node that represents a second actor; and
  
  an edge that interconnects the first node and the second node and represents an additional suspicious event involving the first actor and the second actor;
  
  each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious;
  
  calculate, based at least in part on the additional suspicious event involving the first actor and the second actor, an attack score for the event-correlation graph;
  
  determine that the attack score is greater than a predetermined threshold;
  
  determine, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event comprises an attack on the computing system;
  
  use the event-correlation graph to generate a procedure for remediating an effect of the attack on the computing system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Roundy, Kevin Alejandro, Bhatkar, Sandeep
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
DE JESUS LASSALA, CARLOS MANUEL

Application Number

US14/221,703
Time in Patent Office

690 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/54   by adding security routines...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

H04L 41/0631   using root cause analysis; ...

H04L 63/1425   Traffic logging, e.g. anoma...

Systems and methods for using event-correlation graphs to generate remediation procedures

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for using event-correlation graphs to generate remediation procedures

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links