Event correlation across heterogeneous operations
First Claim
1. A computer-implemented method for correlating domain activity data, the method being executed by one or more processors and comprising:
- receiving first domain activity data from a first network domain and second domain activity data from a second network domain, the first domain activity data and the second domain activity data including events, alerts, or both from the respective first and second network domains;
filtering the first domain activity data and the second domain activity data to remove irrelevant activity data, based on a first set of profile data for devices in the first network domain and a second set of profile data for devices in the second network domain;
aggregating unfiltered first domain activity data and unfiltered second domain activity data;
correlating aggregated unfiltered first domain activity data and unfiltered second domain activity data to determine an attack path for an attack that occurs across the first network domain and the second network domain, based on attack signatures and profiles associated with previously identified attacks;
wherein correlating further includes;
labeling the aggregated unfiltered first domain activity data and unfiltered second domain activity data to identify two or more alerts, meta-alerts, or both that are associated with a particular attacker;
linking the activity data that is labeled as being associated with the particular attacker to identify a chain of two or more alerts, meta-alerts, or both; and
determining the attack path that occurs across the first network domain and the second network domain, including determining a series of communications between one or more devices in the first network domain and one or more devices in the second network domain; and
generating a visualization of the attack path.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on computer storage media, for correlating domain activity data. First domain activity data from a first network domain and second domain activity data from a second network domain is received. The first domain activity data and the second domain activity data is filtered to remove irrelevant activity data, based on a first set of profile data for devices in the first network domain and a second set of profile data for devices in the second network domain. Unfiltered first and second domain activity data is aggregated. Aggregated unfiltered first and second domain activity data is correlated to determine an attack path for an attack that occurs across the first network domain and the second network domain, based on attack signatures and profiles associated with previously identified attacks. A visualization of the attack path is generated.
26 Citations
21 Claims
-
1. A computer-implemented method for correlating domain activity data, the method being executed by one or more processors and comprising:
-
receiving first domain activity data from a first network domain and second domain activity data from a second network domain, the first domain activity data and the second domain activity data including events, alerts, or both from the respective first and second network domains; filtering the first domain activity data and the second domain activity data to remove irrelevant activity data, based on a first set of profile data for devices in the first network domain and a second set of profile data for devices in the second network domain; aggregating unfiltered first domain activity data and unfiltered second domain activity data; correlating aggregated unfiltered first domain activity data and unfiltered second domain activity data to determine an attack path for an attack that occurs across the first network domain and the second network domain, based on attack signatures and profiles associated with previously identified attacks;
wherein correlating further includes;labeling the aggregated unfiltered first domain activity data and unfiltered second domain activity data to identify two or more alerts, meta-alerts, or both that are associated with a particular attacker; linking the activity data that is labeled as being associated with the particular attacker to identify a chain of two or more alerts, meta-alerts, or both; and determining the attack path that occurs across the first network domain and the second network domain, including determining a series of communications between one or more devices in the first network domain and one or more devices in the second network domain; and generating a visualization of the attack path. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system, comprising:
-
one or more processors; and a computer-readable storage device coupled to the one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for correlating domain activity data, the operations comprising; receiving first domain activity data from a first network domain and second domain activity data from a second network domain, the first domain activity data and the second domain activity data including events, alerts, or both from the respective first and second network domains; filtering the first domain activity data and the second domain activity data to remove irrelevant activity data, based on a first set of profile data for devices in the first network domain and a second set of profile data for devices in the second network domain; aggregating unfiltered first domain activity data and unfiltered second domain activity data; correlating aggregated unfiltered first domain activity data and unfiltered second domain activity data to determine an attack path for an attack that occurs across the first network domain and the second network domain, based on attack signatures and profiles associated with previously identified attacks;
wherein correlating further includes;labeling the aggregated unfiltered first domain activity data and unfiltered second domain activity data to identify two or more alerts, meta-alerts, or both that are associated with a particular attacker; linking the activity data that is labeled as being associated with the particular attacker to identify a chain of two or more alerts, meta-alerts, or both; and determining the attack path that occurs across the first network domain and the second network domain, including determining a series of communications between one or more devices in the first network domain and one or more devices in the second network domain; and generating a visualization of the attack path. - View Dependent Claims (15, 16, 17)
-
-
18. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for correlating domain activity data, the operations comprising:
-
receiving first domain activity data from a first network domain and second domain activity data from a second network domain, the first domain activity data and the second domain activity data including events, alerts, or both from the respective first and second network domains, and wherein the first network domain and the second network domain are separate network domains connected by at least one secure communication device in a commonly managed enterprise network; filtering the first domain activity data and the second domain activity data to remove irrelevant activity data, based on a first set of profile data for devices in the first network domain and a second set of profile data for devices in the second network domain; aggregating unfiltered first domain activity data and unfiltered second domain activity data; correlating aggregated unfiltered first domain activity data and unfiltered second domain activity data to determine an attack path for an attack that occurs across the first network domain and the second network domain, based on attack signatures and profiles associated with previously identified attacks;
wherein correlating further includes;labeling the aggregated unfiltered first domain activity data and unfiltered second domain activity data to identify two or more alerts, meta-alerts, or both that are associated with a particular attacker; linking the activity data that is labeled as being associated with the particular attacker to identify a chain of two or more alerts, meta-alerts, or both; and determining the attack path that occurs across the first network domain and the second network domain, including determining a series of communications between one or more devices in the first network domain and one or more devices in the second network domain; and generating a visualization of the attack path. - View Dependent Claims (19, 20, 21)
-
Specification