Lateral movement detection

US 9,825,978 B2
Filed: 01/16/2017
Issued: 11/21/2017
Est. Priority Date: 09/18/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for performing network intrusion detection in a computer network having multiple computing devices, the method comprising:

accessing historical logon session data related to activities performed in connection with multiple authorized accounts during logon sessions on corresponding computing devices in the computer network, the historical logon session data including data representing security events triggered during each of the logon sessions in response to the corresponding authorized account accessing one of the computing devices in the computer network; and

based on the received historical logon session data, generating models each configured to output a probability value indicating whether one or more security events related to a new logon session in connection with one of the multiple authorized account are indicative of a compromised behavior, the generated models individually including a historical occurrence value of a distinct combination of the security events triggered during the individual logon sessions.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Lateral movement detection may be performed by employing different detection models to score logon sessions. The different detection models may be implemented by and/or utilize counts computed from historical security event data. The different detection models may include probabilistic intrusion detection models for detecting compromised behavior based on logon behavior, a sequence of security events observed during a logon session, inter-event time between security events observed during a logon session, and/or an attempt to logon using explicit credentials. Scores for each logon session that are output by the different detection models may be combined to generate a ranking score for each logon session. A list of ranked alerts may be generated based on the ranking score for each logon session to identify compromised authorized accounts and/or compromised machines. An attack graph may be automatically generated based on compromised account-machine pairs to visually display probable paths of an attacker.

35 Citations

View as Search Results

20 Claims

1. A computer-implemented method for performing network intrusion detection in a computer network having multiple computing devices, the method comprising:
- accessing historical logon session data related to activities performed in connection with multiple authorized accounts during logon sessions on corresponding computing devices in the computer network, the historical logon session data including data representing security events triggered during each of the logon sessions in response to the corresponding authorized account accessing one of the computing devices in the computer network; and
  
  based on the received historical logon session data, generating models each configured to output a probability value indicating whether one or more security events related to a new logon session in connection with one of the multiple authorized account are indicative of a compromised behavior, the generated models individually including a historical occurrence value of a distinct combination of the security events triggered during the individual logon sessions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1 wherein the security events can include at least some of events of account logon/logoff, authentication, account management, process creation, process termination, directory service, object access, application initiation, application termination, file sharing, policy change, privileged use, or a system event.
  - 3. The computer-implemented method of claim 1 wherein one of the distinct combinations of the security event variables is configured to assess whether a logon behavior is indicative of compromised behavior, the distinct combination of the security event variables include at least some of an account, an account type, a machine role, a machine role type, a time of logon, or a logon type.
  - 4. The computer-implemented method of claim 1 wherein one of the distinct combinations of the security event variables is configured to assess whether a sequence of security events observed during the logon session is indicative of compromised behavior based on a historical occurrence value of the same sequence of security events observed during previous logon sessions.
  - 5. The computer-implemented method of claim 4 wherein the historical occurrence value of the same sequence of security events during previous logon sessions includes a count of the same sequence of security events observed during previous logon sessions.
  - 6. The computer-implemented method of claim 1 wherein one of the distinct combinations of the security event variables is configured to assess whether an inter-event time between security events is indicative of compromised behavior, the distinct combination of the security event variables include an account or account type and an associated sequence of security events and corresponding inter-event times between successive security events in the sequence.
  - 7. The computer-implemented method of claim 1 wherein one of the distinct combinations of the security event variables is configured to assess whether an attempt to logon using explicit credentials during the logon session is indicative of compromised behavior, the distinct combination of the security event variables include at least some of an account, an account type, a machine role, a machine role type, a time of attempted logon related to logon attempt using explicit credentials.
  - 8. The computer-implemented method of claim 1 wherein one of the distinct combinations of security event variables include at least one of:
    - a combination of at least some of an account, an account type, a machine role, a machine role type, a time of logon, or a logon type;
      
      a combination of at least some of an account, an account type, a machine role, or a machine role type, and a sequence of security events;
      
      a combination of an account or account type and an associated sequence of security events and corresponding inter-event times between successive security events in the sequence;
      
      ora combination of at least some of an account, an account type, a machine role, a machine role type, a time of attempted logon related to logon attempt using explicit credentials.

9. A computing device in a computer network containing multiple other computing devices, the computing device comprising:
- a processor for executing computer-executable instructions; and
  
  memory storing computer-executable instructions executable by the processor to cause the processor to;
  
  access historical logon session data related to activities performed in connection with multiple authorized accounts during logon sessions on corresponding computing devices in the computer network, the historical logon session data including data representing security events triggered during each of the logon sessions in response to the corresponding authorized account accessing one of the computing devices in the computer network; and
  
  based on the received historical logon session data, generate one or more models individually configured to output a probability value indicating whether one or more security events related to a new logon session in connection with one of the multiple authorized account are indicative of a compromised behavior, the generated one or more models individually including a historical occurrence value of a distinct combination of the security events triggered during the individual logon sessions.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computing device of claim 9 wherein the security events can include at least some of events of account logon/logoff, authentication, account management, process creation, process termination, directory service, object access, application initiation, application termination, file sharing, policy change, privileged use, or a system event.
  - 11. The computing device of claim 9 wherein one of the distinct combinations of the security event variables is configured to assess whether a logon behavior is indicative of compromised behavior, the distinct combination of the security event variables include at least some of an account, an account type, a machine role, a machine role type, a time of logon, or a logon type.
  - 12. The computing device of claim 9 wherein one of the distinct combinations of the security event variables is configured to assess whether a sequence of security events observed during the logon session is indicative of compromised behavior based on a historical occurrence value of the same sequence of security events observed during previous logon sessions.
  - 13. The computing device of claim 12 wherein the historical occurrence value of the same sequence of security events during previous logon sessions includes a count of the same sequence of security events observed during previous logon sessions.
  - 14. The computing device of claim 9 wherein one of the distinct combinations of the security event variables is configured to assess whether an inter-event time between security events is indicative of compromised behavior, the distinct combination of the security event variables include an account or account type and an associated sequence of security events and corresponding inter-event times between successive security events in the sequence.
  - 15. The computing device of claim 9 wherein one of the distinct combinations of the security event variables is configured to assess whether an attempt to logon using explicit credentials during the logon session is indicative of compromised behavior, the distinct combination of the security event variables include at least some of an account, an account type, a machine role, a machine role type, a time of attempted logon related to logon attempt using explicit credentials.
  - 16. The computing device of claim 9 wherein one of the distinct combinations of security event variables include at least one of:
    - a combination of at least some of an account, an account type, a machine role, a machine role type, a time of logon, or a logon type;
      
      a combination of at least some of an account, an account type, a machine role, or a machine role type, and a sequence of security events;
      
      a combination of an account or account type and an associated sequence of security events and corresponding inter-event times between successive security events in the sequence;
      
      ora combination of at least some of an account, an account type, a machine role, a machine role type, a time of attempted logon related to logon attempt using explicit credentials.

17. A computer-implemented method for performing network intrusion detection in a computer network having multiple computing devices, the method comprising:
- receiving logon session data of activities performed related to authorized accounts during logon sessions on a corresponding computing device in the computer network, the logon session data including data representing security events triggered during the logon sessions in response to the authorized accounts accessing the corresponding computing device in the computer network;
  
  for the logon sessions;
  
  deriving one or more probabilities of intrusion related to the individual logon sessions based on a comparison of the logon session data with distinct combinations of security event variables and a historical occurrence value corresponding to the individual distinct combinations of the security event variables, the individual probabilities of intrusion indicating whether one or more security events related to the individual logon sessions are indicative of a compromised behavior; and
  
  combining the derived one or more probabilities of instruction into an overall probability related to the individual logon sessions; and
  
  identifying one or more of compromised authorized accounts or compromised computing devices in the computer network based on the overall probabilities of the logon sessions related to the logon sessions by the authorized accounts on a corresponding computing device in the computer network.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-implemented method of claim 17 wherein:
    - each overall probability corresponding to one of the logon sessions is assigned a weighting factor; and
      
      combining the derived multiple probabilities includes combining the derived multiple probabilities using the weighting factors.
  - 19. The computer-implemented method of claim 17 wherein the distinct combinations of security event variables include at least some of:
    - a combination of at least some of an account, an account type, a machine role, a machine role type, a time of logon, or a logon type;
      
      a combination of at least some of an account, an account type, a machine role, or a machine role type, and a sequence of security events;
      
      a combination of an account or account type and an associated sequence of security events and corresponding inter-event times between successive security events in the sequence;
      
      ora combination of at least some of an account, an account type, a machine role, a machine role type, a time of attempted logon related to logon attempt using explicit credentials.
  - 20. The computer-implemented method of claim 17 wherein one distinct combination of the security event variables is configured to assess whether a sequence of security events observed during the logon session is indicative of compromised behavior based on a historical occurrence value of the same sequence of security events observed during previous logon sessions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Siva Kumar, Ram Shankar, Vu, Nguyen Song Khanh, DiPlacido, Marco, Nair, Vinod, Das, Aniruddha, Swann, Matt, Selvaraj, Keerthi, Sellamanickam, Sundararajan
Primary Examiner(s)
ZHAO, DON GORDON

Application Number

US15/407,127
Publication Number

US 20170126717A1
Time in Patent Office

309 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Lateral movement detection

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Lateral movement detection

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links