Analytics-based security monitoring system and method

US 9,654,485 B1
Filed: 04/13/2015
Issued: 05/16/2017
Est. Priority Date: 04/13/2015
Status: Active Grant

First Claim

Patent Images

1. An analytics-based security monitoring system comprising:

at least one memory to store instructions; and

a hardware processor communicatively coupled to the at least one memory, the hardware processor, when executing the instructions, to;

receive information collected from at least one computing node in a computing environment,detect a first plurality of behavioral characteristics from behavioral data in the received information, each of the first plurality of behavioral characteristics representing an action conducted in the computing environment,determine one or more behavioral fragments, each of the one or more behavioral fragments comprises a second plurality of behavioral characteristics having a level of relevance to each other that is computed based, at least in part, on one or more of (i) whether the second plurality of behavioral characteristics occur within a prescribed window of time or (ii) whether the second plurality of behavioral characteristics are detected on a single computing node or different computing nodes of the at least one computing node,correlate the one or more determined behavioral fragments against an attack profile comprising a plurality of sets of behavioral fragments where each set of behavioral fragments forms a malicious behavior pattern of a known attack,identify an attack based on the correlated one or more determined behavioral fragments, andperform one or more remedial actions when the attack is identified.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An analytics-based security monitoring system includes instructions that may be executed by a computing system to receive data in the form of event logs from one or more network devices transferred through a computing environment, detect a plurality of behavioral characteristics from the received event logs, identify behavioral fragments composed of related behavioral characteristics, and identify an attack by correlating the behavioral fragments against patterns of known malicious attacks. The analytics-based security monitoring system may then perform a learning process to enhance further detection of attacks and perform one or more remedial actions when an attack is identified.

284 Citations

25 Claims

1. An analytics-based security monitoring system comprising:
- at least one memory to store instructions; and
  
  a hardware processor communicatively coupled to the at least one memory, the hardware processor, when executing the instructions, to;
  
  receive information collected from at least one computing node in a computing environment,detect a first plurality of behavioral characteristics from behavioral data in the received information, each of the first plurality of behavioral characteristics representing an action conducted in the computing environment,determine one or more behavioral fragments, each of the one or more behavioral fragments comprises a second plurality of behavioral characteristics having a level of relevance to each other that is computed based, at least in part, on one or more of (i) whether the second plurality of behavioral characteristics occur within a prescribed window of time or (ii) whether the second plurality of behavioral characteristics are detected on a single computing node or different computing nodes of the at least one computing node,correlate the one or more determined behavioral fragments against an attack profile comprising a plurality of sets of behavioral fragments where each set of behavioral fragments forms a malicious behavior pattern of a known attack,identify an attack based on the correlated one or more determined behavioral fragments, andperform one or more remedial actions when the attack is identified.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The analytics-based security monitoring system of claim 1, wherein the instructions are further executed by the hardware processor to:
    - identify the attack by generating a score based on the correlated one or more determined behavioral fragments.
  - 3. The analytics-based security monitoring system of claim 1, wherein the instructions are further executed to:
    - correlate a first behavioral characteristic against one or more other behavioral characteristics;
      
      generate a behavioral score indicative of a level of relevance of the first behavioral characteristic to the one or more other behavioral characteristics using at least one correlation weighting factor applied to the first behavioral characteristic and the one or more other behavioral characteristics; and
      
      identify the attack by generating a score based on the correlated one or more determined behavioral fragments.
  - 4. The analytics-based security monitoring system of claim 3, wherein the instructions are further executed by the hardware processor to perform a learning process that includes analyzing a previously identified attack, and modifying the at least one correlation weighting factor according to the analyzed attack.
  - 5. The analytics-based security monitoring system of claim 1, wherein the instructions are further executed by the hardware processor to detect the plurality of behavioral characteristics using one or more detection weighting factors that are applied to the behavioral data of received information.
  - 6. The analytics-based security monitoring system of claim 1, wherein the instructions are further executed by the hardware processor to identify an inter-computing environment-based attack by comparing the one or more determined behavioral fragments against a profile including information associated with one or more other attacks identified in other computing environments.
  - 7. The analytics-based security monitoring system of claim 6, wherein the instructions are further executed by the hardware processor to perform a learning process that includes analyzing the one or more other attacks, and modifying a similarity weighting factor of the profile according to the one or more other attacks.
  - 8. The analytics-based security monitoring system of claim 1, wherein the level of relevance is further based on at least whether the second plurality of behavioral characteristics arose during processing of a particular object or a particular type of object.
  - 9. The analytics-based security monitoring system of claim 1, wherein the instructions are further executed by the hardware processor to normalize data associated with the received information into a common format prior to detecting the plurality of behavioral characteristics.
  - 10. The analytics-based security monitoring system of claim 9, wherein the normalized data has a reduced size relative to the data associated with the received information.
  - 11. The analytics-based security monitoring system of claim 1, wherein each of the behavioral characteristics is associated with criteria comprising at least one of a known illicit behavior, a quantity of failed authentication attempts, a quantity of successful authentication attempts, a type of authentication attempt, a data transmission technique, an elapsed time between first and second behavioral characteristics, a reordering of third and fourth behavioral characteristics, and a network searching technique.
  - 12. The analytics-based security monitoring system of claim 1, wherein the remedial action comprises at least one of generating an alert message, tracing an origin of one or more computing nodes associated with the attack, and halting operation of the one or more computing nodes associated with the attack.

13. An analytics-based security monitoring method comprising:
- receiving, using an operations management application with instructions stored on a non-transitory medium and executed on at least one processor, information collected from at least one computing node in a computing environment;
  
  detecting, using the instructions, a plurality of behavioral characteristics from the received information, each of the plurality of behavioral characteristics representing an action conducted in the computing environment;
  
  identifying, using the instructions, at least one behavioral fragment comprising one or more of the detected behavioral characteristics that are related by correlating the behavioral characteristics against a correlation profile including information associated with a set of behavioral characteristic that form a behavior pattern, the related behavioral characteristics are determined based, at least in part, on (i) whether the behavioral characteristics occur within a prescribed window of time or (ii) whether the behavioral characteristics are detected on a single computing node or different computing nodes of the at least one computing node;
  
  identifying, using the instructions, an attack comprising the at least one behavioral fragment by correlating the at least one behavioral fragment against an attack profile including information associated with a set of behavioral fragments that form an attack pattern; and
  
  performing, using the instructions, one or more remedial actions when the attack is identified, the one or more remedial actions including reporting the attack.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The analytics-based security monitoring method of claim 13, further comprising:
    - identifying the attack by generating an attack score based on the correlated one or more determined behavioral fragments.
  - 15. The analytics-based security monitoring method of claim 13, further comprising:
    - correlating a first behavioral characteristic against one or more other behavioral characteristics;
      
      generating a behavioral characteristic score indicative of a level of relevance of the first behavioral characteristic to the one or more other behavioral characteristics using at least one correlation weighting factor applied to the first behavioral characteristic and the one or more other behavioral characteristics; and
      
      identify the attack by generating an attack score based on the correlated one or more determined behavioral fragments.
  - 16. The analytics-based security monitoring method of claim 15, further comprising performing a learning process that includes analyzing a previously identified attack, and modifying the at least one correlation weighting factor according to the analyzed attack.
  - 17. The analytics-based security monitoring method of claim 16, further comprising:
    - detecting the plurality of behavioral characteristics using one or more detection weighting factors with respect to behavioral data of the received information.
  - 18. The analytics-based security monitoring method of claim 16, further comprising performing a learning process that includes analyzing a previously identified attack, and modifying the correlation weighting factors according to the analyzed attack.
  - 19. The analytics-based security monitoring method of claim 14, further comprising identifying an inter-computing environment-based attack by comparing the correlated behavioral fragments against a profile including information associated with one or more other attacks identified in other computing environments.
  - 20. The analytics-based security monitoring method of claim 19, further comprising performing a learning process that includes analyzing the other attacks, and modifying a similarity weighting factor of the profile according to the analyzed other attacks.

21. A security monitoring system comprising:
- a security monitoring framework stored in at least one memory and executed on at least one processor of a computing system, the security monitoring framework comprising;
  
  a behavioral characteristic detection module that, when executed by the at least one processor, analyzes data in an event log to detect a plurality of behavioral characteristics from the event log data collected from at least one computing node in a computing environment, each of the plurality of behavioral characteristics representing an action conducted in the computing environment;
  
  a behavioral fragment determination module that, when executed by the at least one processor, correlates a first of the detected behavioral characteristics against at least one other of the detected behavioral characteristics, and a second of the detected behavioral characteristics against at least one other of the detected behavioral characteristics, using a correlation profile to identify thereby respective first and second behavioral fragments, the correlation profile includes factors including whether the first of the detected behavioral characteristics and the at least one other of the detected behavioral characteristics occur within a prescribed period of time;
  
  an attack identification module that, when executed by the at least one processor, identifies an attack by correlating the first and second behavioral fragments against an attack profile including information associated with a plurality of sets of behavioral fragments that each form a malicious behavior pattern of the attack; and
  
  a remedial action generation module that, when executed by the at least one processor, performs one or more remedial actions when the attack is identified.
- View Dependent Claims (22, 23, 24)
- - 22. The security monitoring system of claim 21, wherein the behavioral fragment determination module is further configured to provide a control signal to the behavioral characteristic detection module to cause the behavioral characteristic detection module to re-analyze the event log data to detect, based on a fragment profile, a behavioral characteristic that was not detected when the event log data was analyzed previously.
  - 23. The security monitoring system of claim 21, wherein the attack identification module is further configured to provide a control signal to the behavioral characteristic detection module to cause the behavioral characteristic detection module to re-analyze the event log data to detect, based on a fragment profile, a behavioral characteristic that was not detected when the event log data was analyzed previously.
  - 24. The security monitoring system of claim 21, wherein the attack identification module is further configured to provide a control signal to the behavioral fragment determination module to cause the behavioral fragment determination module to re-correlate the behavioral characteristics based on the attack profile, to determine either a third behavioral fragment constituting part of the attack or an additional behavioral characteristic that was previously omitted from the first and second behavioral fragments.

25. Computer program product code implemented in a non-transitory, computer readable medium that when executed by at least one processor, is operable to perform at least the following:
- receiving, using an operations management application with instructions stored on a non-transitory medium and executed on at least one processor, information collected from at least one computing node in a computing environment;
  
  detecting, using the instructions, a plurality of behavioral characteristics from the received information, each of the plurality of behavioral characteristics representing an action conducted in the computing environment;
  
  determining, using the instructions, a behavioral fragment by correlating a first of the detected behavioral characteristics against at least one other detected behavioral characteristic, and a second of the detected behavioral characteristics against at least one other of the detected behavioral characteristics, using a correlation profile to thereby identify respective first and second behavioral fragments, the correlation profile includes factors including whether the first of the detected behavioral characteristics and the at least one other detected behavioral characteristic occur within a prescribed period of time;
  
  identifying, using the instructions, an attack by correlating the first and second behavioral fragments against an attack profile including information associated with a plurality of sets of behavioral fragments that each form a malicious behavior pattern of the attack; and
  
  performing, using the instructions, one or more remedial actions when the attack is identified.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Neumann, Justin
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Sanders, Stephen

Application Number

US14/685,475
Time in Patent Office

764 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Analytics-based security monitoring system and method

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

284 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Analytics-based security monitoring system and method

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

284 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links