Event correlation across heterogeneous operations

US 9,742,788 B2
Filed: 08/31/2015
Issued: 08/22/2017
Est. Priority Date: 04/09/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for correlating domain activity data, the method being executed by one or more processors and comprising:

receiving first domain activity data from a first network domain and second domain activity data from a second network domain, the first domain activity data and the second domain activity data including events, alerts, or both from the respective first and second network domains;

filtering the first domain activity data and the second domain activity data to remove irrelevant activity data, based on a first set of profile data for devices in the first network domain and a second set of profile data for devices in the second network domain;

aggregating unfiltered first domain activity data and unfiltered second domain activity data;

correlating aggregated unfiltered first domain activity data and unfiltered second domain activity data to determine an attack path for an attack that occurs across the first network domain and the second network domain, based on attack signatures and profiles associated with previously identified attacks;

wherein correlating further includes;

labeling the aggregated unfiltered first domain activity data and unfiltered second domain activity data to identify two or more alerts, meta-alerts, or both that are associated with a particular attacker;

linking the activity data that is labeled as being associated with the particular attacker to identify a chain of two or more alerts, meta-alerts, or both; and

determining the attack path that occurs across the first network domain and the second network domain, including determining a series of communications between one or more devices in the first network domain and one or more devices in the second network domain; and

generating a visualization of the attack path.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for correlating domain activity data. First domain activity data from a first network domain and second domain activity data from a second network domain is received. The first domain activity data and the second domain activity data is filtered to remove irrelevant activity data, based on a first set of profile data for devices in the first network domain and a second set of profile data for devices in the second network domain. Unfiltered first and second domain activity data is aggregated. Aggregated unfiltered first and second domain activity data is correlated to determine an attack path for an attack that occurs across the first network domain and the second network domain, based on attack signatures and profiles associated with previously identified attacks. A visualization of the attack path is generated.

26 Citations

View as Search Results

21 Claims

1. A computer-implemented method for correlating domain activity data, the method being executed by one or more processors and comprising:
- receiving first domain activity data from a first network domain and second domain activity data from a second network domain, the first domain activity data and the second domain activity data including events, alerts, or both from the respective first and second network domains;
  
  filtering the first domain activity data and the second domain activity data to remove irrelevant activity data, based on a first set of profile data for devices in the first network domain and a second set of profile data for devices in the second network domain;
  
  aggregating unfiltered first domain activity data and unfiltered second domain activity data;
  
  correlating aggregated unfiltered first domain activity data and unfiltered second domain activity data to determine an attack path for an attack that occurs across the first network domain and the second network domain, based on attack signatures and profiles associated with previously identified attacks;
  
  wherein correlating further includes;
  
  labeling the aggregated unfiltered first domain activity data and unfiltered second domain activity data to identify two or more alerts, meta-alerts, or both that are associated with a particular attacker;
  
  linking the activity data that is labeled as being associated with the particular attacker to identify a chain of two or more alerts, meta-alerts, or both; and
  
  determining the attack path that occurs across the first network domain and the second network domain, including determining a series of communications between one or more devices in the first network domain and one or more devices in the second network domain; and
  
  generating a visualization of the attack path.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the first domain activity data, the second domain activity data, or both, includes log data provided by one or more security sensors.
  - 3. The method of claim 1, wherein the first network domain is an information technology network domain and the second network domain is an operational technology network domain.
  - 4. The method of claim 1, wherein the filtering comprises:
    - determining, for each event or alert, a corresponding attack and a corresponding target;
      
      determining, based on profile data for the corresponding target, that the attack on the target is rendered unsuccessful; and
      
      filtering the corresponding event or alert.
  - 5. The method of claim 4, wherein the filtering comprises:
    - for each unfiltered event or alert, dynamically retrieving current status information about the corresponding target;
      
      determining, based the current status information about the corresponding target, that the attack on the target is rendered unsuccessful; and
      
      filtering the corresponding event or alert.
  - 6. The method of claim 1, wherein the aggregating comprises determining that two or more alerts were generated in response to detecting a same packet, and combining the alerts into a meta-alert.
  - 7. The method of claim 6, wherein the aggregating comprises determining that two or more alerts, meta-alerts, or both, are associated with a same attack or have similar characteristics, and combining the alerts, meta-alerts, or both.
  - 8. The method of claim 7, wherein the aggregating is performed when the two or more alerts, meta-alerts, or both have timestamps within a threshold similarity value and include the same destination address, the same source address, or both.
  - 9. The method of claim 1, wherein two or more alerts, meta-alerts, or both are linked when the alerts or meta-alerts have timestamp values within a time threshold value.
  - 10. The method of claim 1, further comprising:
    - based on filtered first domain activity data and filtered second domain activity data, determining and storing filtered data associated with unsuccessful attacks; and
      
      based on aggregated unfiltered first domain activity data and unfiltered second domain activity data, determining and storing data associated with targets and attackers;
      
      wherein the attack signatures and profiles are based on the filtered data associated with unsuccessful attacks and on the data associated with targets and attackers.
  - 11. The method of claim 10, wherein the data associated with targets and attackers includes references to devices that are targets of attacks, and references to addresses of attackers.
  - 12. The method of claim 1, further comprising:
    - receiving data associated with the attack path;
      
      in response to receiving the data associated with the attack path, determining an impact of the attack on the first network domain and on the second network domain; and
      
      providing an appropriate course of action for the first network domain and the second network domain.
  - 13. The method of claim 1, further comprising:
    - correlating aggregated unfiltered first domain activity data and unfiltered second domain activity data to determine multiple attack paths;
      
      for each of the attack paths, determining an impact of the attack on the first network domain and on the second network domain; and
      
      ranking each of the multiple attack paths, based on the impact of the respective attack.

14. A system, comprising:
- one or more processors; and
  
  a computer-readable storage device coupled to the one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for correlating domain activity data, the operations comprising;
  
  receiving first domain activity data from a first network domain and second domain activity data from a second network domain, the first domain activity data and the second domain activity data including events, alerts, or both from the respective first and second network domains;
  
  filtering the first domain activity data and the second domain activity data to remove irrelevant activity data, based on a first set of profile data for devices in the first network domain and a second set of profile data for devices in the second network domain;
  
  aggregating unfiltered first domain activity data and unfiltered second domain activity data;
  
  correlating aggregated unfiltered first domain activity data and unfiltered second domain activity data to determine an attack path for an attack that occurs across the first network domain and the second network domain, based on attack signatures and profiles associated with previously identified attacks;
  
  wherein correlating further includes;
  
  labeling the aggregated unfiltered first domain activity data and unfiltered second domain activity data to identify two or more alerts, meta-alerts, or both that are associated with a particular attacker;
  
  linking the activity data that is labeled as being associated with the particular attacker to identify a chain of two or more alerts, meta-alerts, or both; and
  
  determining the attack path that occurs across the first network domain and the second network domain, including determining a series of communications between one or more devices in the first network domain and one or more devices in the second network domain; and
  
  generating a visualization of the attack path.
- View Dependent Claims (15, 16, 17)
- - 15. The system of claim 14, the operations further comprising:
    - based on filtered first domain activity data and filtered second domain activity data, determining and storing filtered data associated with unsuccessful attacks; and
      
      based on aggregated unfiltered first domain activity data and unfiltered second domain activity data, determining and storing data associated with targets and attackers;
      
      wherein the attack signatures and profiles are based on the filtered data associated with unsuccessful attacks and on the data associated with targets and attackers.
  - 16. The system of claim 14, the operations further comprising:
    - receiving data associated with the attack path;
      
      in response to receiving the data associated with the attack path, determining an impact of the attack on the first network domain and on the second network domain; and
      
      providing an appropriate course of action for the first network domain and the second network domain.
  - 17. The system of claim 14, the operations further comprising:
    - correlating aggregated unfiltered first domain activity data and unfiltered second domain activity data to determine multiple attack paths;
      
      for each of the attack paths, determining an impact of the attack on the first network domain and on the second network domain; and
      
      ranking each of the multiple attack paths, based on the impact of the respective attack.

18. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for correlating domain activity data, the operations comprising:
- receiving first domain activity data from a first network domain and second domain activity data from a second network domain, the first domain activity data and the second domain activity data including events, alerts, or both from the respective first and second network domains, and wherein the first network domain and the second network domain are separate network domains connected by at least one secure communication device in a commonly managed enterprise network;
  
  filtering the first domain activity data and the second domain activity data to remove irrelevant activity data, based on a first set of profile data for devices in the first network domain and a second set of profile data for devices in the second network domain;
  
  aggregating unfiltered first domain activity data and unfiltered second domain activity data;
  
  correlating aggregated unfiltered first domain activity data and unfiltered second domain activity data to determine an attack path for an attack that occurs across the first network domain and the second network domain, based on attack signatures and profiles associated with previously identified attacks;
  
  wherein correlating further includes;
  
  labeling the aggregated unfiltered first domain activity data and unfiltered second domain activity data to identify two or more alerts, meta-alerts, or both that are associated with a particular attacker;
  
  linking the activity data that is labeled as being associated with the particular attacker to identify a chain of two or more alerts, meta-alerts, or both; and
  
  determining the attack path that occurs across the first network domain and the second network domain, including determining a series of communications between one or more devices in the first network domain and one or more devices in the second network domain; and
  
  generating a visualization of the attack path.
- View Dependent Claims (19, 20, 21)
- - 19. The non-transitory computer-readable storage medium of claim 18, further comprising:
    - based on filtered first domain activity data and filtered second domain activity data, determining and storing filtered data associated with unsuccessful attacks; and
      
      based on aggregated unfiltered first domain activity data and unfiltered second domain activity data, determining and storing data associated with targets and attackers;
      
      wherein the attack signatures and profiles are based on the filtered data associated with unsuccessful attacks and on the data associated with targets and attackers.
  - 20. The non-transitory computer-readable storage medium of claim 18, further comprising:
    - receiving data associated with the attack path;
      
      in response to receiving the data associated with the attack path, determining an impact of the attack on the first network domain and on the second network domain; and
      
      providing an appropriate course of action for the first network domain and the second network domain.
  - 21. The non-transitory computer-readable storage medium of claim 18, further comprising:
    - correlating aggregated unfiltered first domain activity data and unfiltered second domain activity data to determine multiple attack paths;
      
      for each of the attack paths, determining an impact of the attack on the first network domain and on the second network domain; and
      
      ranking each of the multiple attack paths, based on the impact of the respective attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Hassanzadeh, Amin, Modi, Shimon, Mulchandani, Shaan, Negm, Walid
Primary Examiner(s)
Shehni, Ghazal

Application Number

US14/841,287
Publication Number

US 20160301704A1
Time in Patent Office

722 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/64   Protecting data integrity, ...

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Event correlation across heterogeneous operations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Event correlation across heterogeneous operations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links