Forensic analysis of computing activity
First Claim
1. A computer program product for forensic analysis for computer processes, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on a computing device, performs the steps of:
- instrumenting a first endpoint to monitor a number of causal relationships among a number of computing objects, and to record a sequence of events causally relating the number of computing objects;
detecting a security event associated with one of the number of computing objects, wherein detecting the security event includes detecting a potential data leakage;
in response to detecting the security event, traversing an event graph based on the sequence of events in a reverse order from the one of the number of computing objects associated with the security event to one or more preceding ones of the number of computing objects;
applying a cause identification rule to the one or more preceding ones of the number of computing objects and the number of causal relationships while traversing the event graph to identify one of the number of computing objects as a cause of the security event; and
traversing the event graph forward from the cause of the security event to identify one or more other ones of the number of computing objects affected by the cause.
4 Assignments
0 Petitions
Accused Products
Abstract
A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files. When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects. For a root cause analysis, the event graph may be traversed in a reverse order from the point of an identified security event (e.g., a malware detection event) to preceding computing objects, while applying one or more cause identification rules to identify a root cause of the security event. Once a root cause is identified, the event graph may be traversed forward from the root cause to identify other computing objects that are potentially compromised by the root cause.
58 Citations
22 Claims
-
1. A computer program product for forensic analysis for computer processes, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on a computing device, performs the steps of:
-
instrumenting a first endpoint to monitor a number of causal relationships among a number of computing objects, and to record a sequence of events causally relating the number of computing objects; detecting a security event associated with one of the number of computing objects, wherein detecting the security event includes detecting a potential data leakage; in response to detecting the security event, traversing an event graph based on the sequence of events in a reverse order from the one of the number of computing objects associated with the security event to one or more preceding ones of the number of computing objects; applying a cause identification rule to the one or more preceding ones of the number of computing objects and the number of causal relationships while traversing the event graph to identify one of the number of computing objects as a cause of the security event; and traversing the event graph forward from the cause of the security event to identify one or more other ones of the number of computing objects affected by the cause. - View Dependent Claims (2)
-
-
3. A method for forensic analysis for computer processes, the method comprising:
-
instrumenting a first endpoint to monitor a number of causal relationships among a number of computing objects, and to record a sequence of events causally relating the number of computing objects; detecting a security event associated with one of the number of computing objects, wherein detecting the security event includes detecting a potential data leakage; in response to detecting the security event, traversing an event graph based on the sequence of events in a reverse order from the one of the number of computing objects associated with the security event to one or more preceding ones of the number of computing objects; applying a cause identification rule to the one or more preceding ones of the number of computing objects and the number of causal relationships while traversing the event graph to identify one of the number of computing objects as a cause of the security event; traversing the event graph forward from the cause of the security event to identify one or more other ones of the number of computing objects affected by the cause; and taking an action to remediate one or more of the identified computing objects. - View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system for forensic analysis for computer processes comprising:
-
a first endpoint; a data recorder instrumented to monitor a number of causal relationships among a number of computing objects on the first endpoint, and to record a sequence of events causally relating the number of computing objects; and a processor and a memory disposed on the first endpoint or in communication with the first endpoint, the memory bearing computer code that, when executing on the processor, performs the steps of; detecting a security event associated with one of the number of computing objects on the first endpoint, wherein detecting the security event includes detecting a potential data leakage; in response to detecting the security event, traversing an event graph based on the sequence of events in a reverse order from the one of the number of computing objects associated with the security event to one or more preceding ones of the number of computing objects; applying a cause identification rule to the one or more preceding ones of the number of computing objects and the number of causal relationships while traversing the event graph to identify one of the number of computing objects as a cause of the security event; traversing the event graph forward from the cause of the security event to identify one or more other ones of the number of computing objects affected by the cause; examining the identified computing objects affected by the cause; and remediating compromised examined computing objects.
-
Specification