System and user context in enterprise threat detection

US 10,075,462 B2
Filed: 12/22/2015
Issued: 09/11/2018
Est. Priority Date: 12/22/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

executing, by a computer, a transfer of master data in a backend computing system, wherein the master data includes user data and system data, and wherein the transfer of master data comprises;

receiving, by a computer, user data associated with a particular user id in the backend computing system;

transferring, by a computer, the received user data to an event stream processor (ESP), wherein a user context associated with the particular user id is created or updated;

receiving, by a computer, system data associated with a particular log providing computing system in the backend computing system;

transferring, by a computer, the received system data to the ESP, wherein a system context associated with the particular log providing system is created or updated; and

executing, by a computer, a transfer of log data associated with logs of computing systems connected to the backend computing system;

enriching one or more log entries of the transferred log data based on the user context and the system context; and

rendering a semantic graphical user interface for interaction with the transferred log data, wherein the semantic graphical user interface is configured to render distributions of selectable semantic attribute type values with respect to events in the transferred log data and selected semantic filter values;

wherein alert indications of malicious computing activities are identified in the semantic graphical user interface according to analysis with respect to one or more alert patterns defined using semantic events, and wherein one or more alerts are generated and transmitted based on the analysis.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A transfer of master data is executed in a backend computing system. The master data includes user data and system data. The transfer of master data includes receiving user data associated with a particular user identifier in the backend computing system, transferring the received user data to an event stream processor, receiving system data associated with a particular log providing computing system in the backend computing system, transferring the received user data to the event stream processor, and executing a transfer of log data associated with logs of computing systems connected to the backend computing system.

51 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- executing, by a computer, a transfer of master data in a backend computing system, wherein the master data includes user data and system data, and wherein the transfer of master data comprises;
  
  receiving, by a computer, user data associated with a particular user id in the backend computing system;
  
  transferring, by a computer, the received user data to an event stream processor (ESP), wherein a user context associated with the particular user id is created or updated;
  
  receiving, by a computer, system data associated with a particular log providing computing system in the backend computing system;
  
  transferring, by a computer, the received system data to the ESP, wherein a system context associated with the particular log providing system is created or updated; and
  
  executing, by a computer, a transfer of log data associated with logs of computing systems connected to the backend computing system;
  
  enriching one or more log entries of the transferred log data based on the user context and the system context; and
  
  rendering a semantic graphical user interface for interaction with the transferred log data, wherein the semantic graphical user interface is configured to render distributions of selectable semantic attribute type values with respect to events in the transferred log data and selected semantic filter values;
  
  wherein alert indications of malicious computing activities are identified in the semantic graphical user interface according to analysis with respect to one or more alert patterns defined using semantic events, and wherein one or more alerts are generated and transmitted based on the analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein, for the user data, the master data is received from a user management system or an identity management system, and wherein, for the system data, the master data is received from system context data associated with a particular computing system connected to the backend computing system as determined by a software application executing on the backend computing system or manual maintenance data related to a particular system context.
  - 3. The method of claim 1, wherein the user data is associated with a single individual or a common identification associated with multiple individuals.
  - 4. The method of claim 1, comprising:
    - if determined that the user context associated with the particular user id is not available to the ESP, creating a new user context associated with the particular user id; and
      
      if determined that the user context associated with the particular user id is available to the ESP, updating the user context associated with the particular user id.
  - 5. The method of claim 1, comprising:
    - if determined that the system context associated with the particular log providing computing system is not available to the ESP, creating a new system context associated with the particular log providing computing system; and
      
      if determined that the system context associated with the particular log providing computing system is available to the ESP, updating the system context associated with the particular log providing computing system.
  - 6. The method of claim 1, wherein the transfer of log data comprises:
    - reading log data from a particular log associated with a particular computing system, wherein the log data is read starting with the latest timestamp; and
      
      transferring read log data to the ESP, wherein the read log data is transformed into a normalized format prior to transfer.
  - 7. The method of claim 6, wherein the enrichment of each particular log entry comprises:
    - attempting to read a user context for a particular user id associated with the particular log entry;
      
      if a user context for the particular user id is found within the backend computing system, writing into the particular log a user context id associated with the user context;
      
      if a user context for the particular user id is not found within the backend computing system, creating a new user context within the backend computing system and writing into the particular log a user context id associated with the new user context;
      
      removing the original user id from the particular log entry; and
      
      writing a revised log entry into the backend computing system.

8. A non-transitory, computer-readable medium storing computer-readable instructions, the instructions executable by a computer and configured to:
- execute a transfer of master data in a backend computing system, wherein the master data includes user data and system data, and wherein the transfer of master data comprises;
  
  receive user data associated with a particular user id in the backend computing system;
  
  transfer the received user data to an event stream processor (ESP), wherein a user context associated with the particular user id is created or updated;
  
  receive system data associated with a particular log providing computing system in the backend computing system;
  
  transfer the received system data to the ESP, wherein a system context associated with the particular log providing system is created or updated; and
  
  execute a transfer of log data associated with logs of computing systems connected to the backend computing system;
  
  enrich one or more log entries of the transferred log data based on the user context and the system context; and
  
  render a semantic graphical user interface for interaction with the transferred log data, wherein the semantic graphical user interface is configured to render distributions of selectable semantic attribute type values with respect to events in the transferred log data and selected semantic filter values;
  
  wherein alert indications of malicious computing activities are identified in the semantic graphical user interface according to analysis with respect to one or more alert patterns defined using semantic events, and wherein one or more alerts are generated and transmitted based on the analysis.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory, computer-readable medium of claim 8, wherein, for the user data, the master data is received from a user management system or an identity management system, and wherein, for the system data, the master data is received from system context data associated with a particular computing system connected to the backend computing system as determined by a software application executing on the backend computing system or manual maintenance data related to a particular system context.
  - 10. The non-transitory, computer-readable medium of claim 8, wherein the user data is associated with a single individual or a common identification associated with multiple individuals.
  - 11. The non-transitory, computer-readable medium of claim 8, the instructions further configured to:
    - if determined that the user context associated with the particular user id is not available to the ESP, create a new user context associated with the particular user id; and
      
      if determined that the user context associated with the particular user id is available to the ESP, update the user context associated with the particular user id.
  - 12. The non-transitory, computer-readable medium of claim 8, the instructions further configured to:
    - if determined that the system context associated with the particular log providing computing system is not available to the ESP, create a new system context associated with the particular log providing computing system; and
      
      if determined that the system context associated with the particular log providing computing system is available to the ESP, update the system context associated with the particular log providing computing system.
  - 13. The non-transitory, computer-readable medium of claim 8, wherein the transfer of log data comprises:
    - reading log data from a particular log associated with a particular computing system, wherein the log data is read starting with the latest timestamp; and
      
      transferring read log data to the ESP, wherein the read log data is transformed into a normalized format prior to transfer.
  - 14. The non-transitory, computer-readable medium of claim 13, wherein the enrichment of each particular log entry comprises:
    - attempting to read a user context for a particular user id associated with the particular log entry;
      
      if a user context for the particular user id is found within the backend computing system, writing into the particular log a user context id associated with the user context;
      
      if a user context for the particular user id is not found within the backend computing system, creating a new user context within the backend computing system and writing into the particular log a user context id associated with the new user context;
      
      removing the original user id from the particular log entry; and
      
      writing a revised log entry into the backend computing system.

15. A system, comprising:
- a memory;
  
  at least one hardware processor interoperably coupled with the memory and configured to;
  
  execute a transfer of master data in a backend computing system, wherein the master data includes user data and system data, and wherein the transfer of master data comprises;
  
  receive user data associated with a particular user id in the backend computing system;
  
  transfer the received user data to an event stream processor (ESP), wherein a user context associated with the particular user id is created or updated;
  
  receive system data associated with a particular log providing computing system in the backend computing system;
  
  transfer the received system data to the ESP, wherein a system context associated with the particular log providing system is created or updated; and
  
  execute a transfer of log data associated with logs of computing systems connected to the backend computing system;
  
  enrich one or more log entries of the transferred log data based on the user context and the system context; and
  
  render a semantic graphical user interface for interaction with the transferred log data, wherein the semantic graphical user interface is configured to render distributions of selectable semantic attribute type values with respect to events in the transferred log data and selected semantic filter values;
  
  wherein alert indications of malicious computing activities are identified in the semantic graphical user interface according to analysis with respect to one or more alert patterns defined using semantic events, and wherein one or more alerts are generated and transmitted based on the analysis.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein, for the user data, the master data is received from a user management system or an identity management system, and wherein, for the system data, the master data is received from system context data associated with a particular computing system connected to the backend computing system as determined by a software application executing on the backend computing system or manual maintenance data related to a particular system context.
  - 17. The system of claim 15, wherein the user data is associated with a single individual or a common identification associated with multiple individuals.
  - 18. The system of claim 15, the processor further configured to:
    - if determined that the user context associated with the particular user id is not available to the ESP, create a new user context associated with the particular user id; and
      
      if determined that the user context associated with the particular user id is available to the ESP, update the user context associated with the particular user id.
  - 19. The system of claim 15, the processor further configured to:
    - if determined that the system context associated with the particular log providing computing system is not available to the ESP, create a new system context associated with the particular log providing computing system; and
      
      if determined that the system context associated with the particular log providing computing system is available to the ESP, update the system context associated with the particular log providing computing system.
  - 20. The system of claim 15, wherein the transfer of log data comprises:
    - reading log data from a particular log associated with a particular computing system, wherein the log data is read starting with the latest timestamp; and
      
      transferring read log data to the ESP, wherein the read log data is transformed into a normalized format prior to transfer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Mehta, Harish, Seifert, Hartwig, Kunz, Thomas, Jacobi, Anne, Rodeck, Marco, Kraemer, Florian, Brencher, Bjorn, Zhang, Nan
Primary Examiner(s)
Bayou, Yonas

Application Number

US14/978,984
Publication Number

US 20170180403A1
Time in Patent Office

994 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1425 Traffic logging, e.g. anoma...

System and user context in enterprise threat detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

51 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and user context in enterprise threat detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links