Network intrusion data item clustering and analysis
First Claim
1. A computer system comprising:
- one or more non-transitory computer readable storage devices configured to store;
a plurality of computer executable instructions;
a data clustering strategy; and
a plurality of data items including at least;
intrusion detection system reports, each intrusion detection system report associated with at least a source Internet Protocol address and a destination Internet Protocol address; and
network-related data items associated with captured communications between an internal network and an external network, the network-related data items including at least one of;
external Internet Protocol addresses, external domains, external computerized devices, internal Internet Protocol addresses, internal computerized devices, users of particular computerized devices, intrusion detection system information, network firewall data, or WHOIS information; and
one or more hardware computer processors in communication with the one or more non-transitory computer readable storage devices and configured to execute the plurality of computer executable instructions to cause the computer system to;
receive an intrusion detection system report including a communication between a source Internet Protocol address and a destination Internet Protocol address;
initiate an automated lookup to determine which of the source Internet Protocol address and the destination Internet Protocol address is an external Internet Protocol address, the external Internet Protocol address being external to the internal network;
designate the external Internet Protocol address as a seed;
generate a first data item cluster based on the data clustering strategy by at least;
adding the seed to the first data item cluster;
identifying one or more of the network-related data items associated with the seed; and
adding, to the first data item cluster, the one or more identified network-related data items;
determine to regenerate the first data item cluster;
regenerate the first data item cluster by at least;
identifying one or more new network-related data items associated with at least one of;
the seed, or the one or more identified network-related data items, wherein the one or more new network-related data items were not added to the first data item cluster as initially generated; and
adding, to the first data item cluster, the one or more new network-related data items;
access a plurality data item clusters including the first data item cluster, wherein the plurality of data item clusters include data items associated with malicious network activities;
analyze the plurality of data item clusters;
determine criticalities of the malicious network activity represented by the data item clusters; and
provide a dynamic user interface displaying at least a first visualization including alerts for at least one of the plurality of data item clusters, wherein the alerts visually indicate the criticalities of the malicious network activity represented by the data item clusters.
8 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the present disclosure relate to a data analysis system that may automatically generate memory-efficient clustered data structures, automatically analyze those clustered data structures, and provide results of the automated analysis in an optimized way to an analyst. The automated analysis of the clustered data structures (also referred to herein as data clusters) may include an automated application of various criteria or rules so as to generate a compact, human-readable analysis of the data clusters. The human-readable analyses (also referred to herein as “summaries” or “conclusions”) of the data clusters may be organized into an interactive user interface so as to enable an analyst to quickly navigate among information associated with various data clusters and efficiently evaluate those data clusters in the context of, for example, a fraud investigation. Embodiments of the present disclosure also relate to automated scoring of the clustered data structures.
-
Citations
25 Claims
-
1. A computer system comprising:
-
one or more non-transitory computer readable storage devices configured to store; a plurality of computer executable instructions; a data clustering strategy; and a plurality of data items including at least; intrusion detection system reports, each intrusion detection system report associated with at least a source Internet Protocol address and a destination Internet Protocol address; and network-related data items associated with captured communications between an internal network and an external network, the network-related data items including at least one of;
external Internet Protocol addresses, external domains, external computerized devices, internal Internet Protocol addresses, internal computerized devices, users of particular computerized devices, intrusion detection system information, network firewall data, or WHOIS information; andone or more hardware computer processors in communication with the one or more non-transitory computer readable storage devices and configured to execute the plurality of computer executable instructions to cause the computer system to; receive an intrusion detection system report including a communication between a source Internet Protocol address and a destination Internet Protocol address; initiate an automated lookup to determine which of the source Internet Protocol address and the destination Internet Protocol address is an external Internet Protocol address, the external Internet Protocol address being external to the internal network; designate the external Internet Protocol address as a seed; generate a first data item cluster based on the data clustering strategy by at least; adding the seed to the first data item cluster; identifying one or more of the network-related data items associated with the seed; and adding, to the first data item cluster, the one or more identified network-related data items; determine to regenerate the first data item cluster; regenerate the first data item cluster by at least; identifying one or more new network-related data items associated with at least one of;
the seed, or the one or more identified network-related data items, wherein the one or more new network-related data items were not added to the first data item cluster as initially generated; andadding, to the first data item cluster, the one or more new network-related data items; access a plurality data item clusters including the first data item cluster, wherein the plurality of data item clusters include data items associated with malicious network activities; analyze the plurality of data item clusters; determine criticalities of the malicious network activity represented by the data item clusters; and provide a dynamic user interface displaying at least a first visualization including alerts for at least one of the plurality of data item clusters, wherein the alerts visually indicate the criticalities of the malicious network activity represented by the data item clusters. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer system comprising:
-
one or more non-transitory computer readable storage devices configured to store; a plurality of computer executable instructions; a data clustering strategy; and a plurality of data items including at least; intrusion detection system reports, each intrusion detection system report associated with at least a source Internet Protocol address and a destination Internet Protocol address; and network-related data items associated with captured communications between an internal network and an external network, the network-related data items including at least one of;
external Internet Protocol addresses, external domains, external computerized devices, internal Internet Protocol addresses, internal computerized devices, users of particular computerized devices, intrusion detection system information, network firewall data, or WHOIS information; andone or more hardware computer processors in communication with the one or more non-transitory computer readable storage devices and configured to execute the plurality of computer executable instructions to cause the computer system to; receive an intrusion detection system report including a communication between a source Internet Protocol address and a destination Internet Protocol address; initiate an automated lookup to determine which of the source Internet Protocol address and the destination Internet Protocol address is an external Internet Protocol address, the external Internet Protocol address being external to the internal network; designate the external Internet Protocol address as a seed; generate a first data item cluster based on the data clustering strategy by at least; adding the seed to the first data item cluster; identifying one or more of the network-related data items associated with the seed; and adding, to the first data item cluster, the one or more identified network-related data items; determine to regenerate the first data item cluster; regenerate the first data item cluster by at least; identifying one or more new network-related data items associated with at least one of;
the seed, or the one or more identified network-related data items, wherein the one or more new network-related data items were not added to the first data item cluster as initially generated; andadding, to the first data item cluster, the one or more new network-related data items; access a second data item cluster having at least one network-related data item in common with the first data item cluster; determine a first time associated with the intrusion detection system report associated with the first data item cluster; determine a second time associated with an intrusion detection system report associated with the second data item cluster; determine a difference between the first time and the second time; and in response to determining that the difference between the first time and the second time satisfies a threshold period of time, merge the first data item cluster and the second data item cluster.
-
Specification