Privilege inference and monitoring based on network behavior

US 10,116,679 B1
Filed: 05/18/2018
Issued: 10/30/2018
Est. Priority Date: 05/18/2018
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more network computers perform the method comprising:

instantiating a monitoring engine to perform actions, including;

monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics, wherein the entities include one or more of a source entity and one or more of a target entity; and

providing a device relation model based on the plurality of entities, the network traffic, and the one or more metrics; and

instantiating an inference engine to perform actions, including;

associating the plurality of entities with one or more privilege levels based on the device relation model and the one or more metrics, wherein a value for each of the one or more privilege levels is based on one or more of an amount of access or an amount of control that the one or more source entities exert over the one or more target entities; and

increasing the one or more privilege levels for a source entity based on one or more metric values that are associated with the one or more target entities that are linked to the source entity; and

instantiating an anomaly engine to perform actions, including;

determine one or more interactions between the one or more source entities and the one or more target entities based on the monitored network traffic;

generating one or more escalation events based on the one or more interactions and the one or more privilege levels associated with the one or more source entities and the one or more target entities, wherein the one or more interactions or the one or more target entities are associated with a privilege level that exceeds the one or more privilege levels associated with the one or more source entities; and

providing the one or more escalation events to one or more users.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to monitoring network traffic. A monitoring engine may monitor network traffic associated with entities in one or more networks. A device relation model may be provided based on the entities and the network traffic. An inference engine associate the entities with privilege levels based on the device relation model based on an amount of access or an amount of control that source entities exert over the target entities. An anomaly engine may determine one or more interactions between the source entities and the target entities based on the monitored network traffic. The anomaly engine may generate escalation events based on the interactions associated with the source entities and the target entities where the target entities have a higher privilege level than the source entities. The anomaly engine may provide the escalation events to one or more users.

202 Citations

26 Claims

1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more network computers perform the method comprising:
- instantiating a monitoring engine to perform actions, including;
  
  monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics, wherein the entities include one or more of a source entity and one or more of a target entity; and
  
  providing a device relation model based on the plurality of entities, the network traffic, and the one or more metrics; and
  
  instantiating an inference engine to perform actions, including;
  
  associating the plurality of entities with one or more privilege levels based on the device relation model and the one or more metrics, wherein a value for each of the one or more privilege levels is based on one or more of an amount of access or an amount of control that the one or more source entities exert over the one or more target entities; and
  
  increasing the one or more privilege levels for a source entity based on one or more metric values that are associated with the one or more target entities that are linked to the source entity; and
  
  instantiating an anomaly engine to perform actions, including;
  
  determine one or more interactions between the one or more source entities and the one or more target entities based on the monitored network traffic;
  
  generating one or more escalation events based on the one or more interactions and the one or more privilege levels associated with the one or more source entities and the one or more target entities, wherein the one or more interactions or the one or more target entities are associated with a privilege level that exceeds the one or more privilege levels associated with the one or more source entities; and
  
  providing the one or more escalation events to one or more users.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the anomaly engine performs actions, further comprising:
    - determining one or more application protocols that are associated with the one or more interactions based on the monitored network traffic; and
      
      determining a privilege level that is associated with each of the one or more interactions that are associated with the one or more determined application protocols.
  - 3. The method of claim 1, wherein the actions of the inference engine further comprise, modifying each privilege level associated with each entity based on one or more characteristics including one or more of resources accessed by an entity, resources provided by the entity, users that access the entity, users that are logged into the entity, an uptime of the entity, privilege levels of connected entities, privilege levels of related entities, privilege levels of the logged in users, number of clients, or additional metadata.
  - 4. The method of claim 1, wherein the actions of the monitoring engine further comprise:
    - modifying the device relation model based on one or more of additions or removals of the plurality of entities in the network; and
      
      modifying the one or more privilege levels associated with the plurality of entities based on the one or more modifications to the device relation model.
  - 5. The method of claim 1, wherein the anomaly engine performs actions, further comprising:
    - querying one or more databases to obtain information about the one or more interactions, wherein the one or more databases are separate from the anomaly engine and a network monitoring computer; and
      
      further determining the one or more escalation events based on the obtained information.
  - 6. The method of claim 1, wherein the monitoring engine performs actions, further comprising:
    - determining one or more network topology characteristics based on the monitored network traffic;
      
      associating one or more default privilege levels with the plurality of entities based on the one or more network topology characteristics.
  - 7. The method of claim 1, wherein the inference engine performs further actions including:
    - associating the plurality of entities with metadata that includes one or more of user identities, user types, read/write accessibility, application types, direction of relation, age of relation, or frequency of activity; and
      
      modifying the one or more privilege levels based on the metadata.

8. A processor readable non-transitory storage media that includes instructions for monitoring network traffic using one or more network monitoring computers, wherein execution of the instructions by the one or more network computers perform the method comprising:
- instantiating a monitoring engine to perform actions, including;
  
  monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics, wherein the entities include one or more of a source entity and one or more of a target entity; and
  
  providing a device relation model based on the plurality of entities, the network traffic, and the one or more metrics; and
  
  instantiating an inference engine to perform actions, including;
  
  associating the plurality of entities with one or more privilege levels based on the device relation model and the one or more metrics, wherein a value for each of the one or more privilege levels is based on one or more of an amount of access or an amount of control that the one or more source entities exert over the one or more target entities; and
  
  increasing the one or more privilege levels for a source entity based on one or more metric values that are associated with the one or more target entities that are linked to the source entity; and
  
  instantiating an anomaly engine to perform actions, including;
  
  determine one or more interactions between the one or more source entities and the one or more target entities based on the monitored network traffic;
  
  generating one or more escalation events based on the one or more interactions and the one or more privilege levels associated with the one or more source entities and the one or more target entities, wherein the one or more interactions or the one or more target entities are associated with a privilege level that exceeds the one or more privilege levels associated with the one or more source entities; and
  
  providing the one or more escalation events to one or more users.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The media of claim 8, wherein the anomaly engine performs actions, further comprising:
    - determining one or more application protocols that are associated with the one or more interactions based on the monitored network traffic; and
      
      determining a privilege level that is associated with each of the one or more interactions that are associated with the one or more determined application protocols.
  - 10. The media of claim 8, wherein the actions of the inference engine further comprise, modifying each privilege level associated with each entity based on one or more characteristics including one or more of resources accessed by an entity, resources provided by the entity, users that access the entity, users that are logged into the entity, an uptime of the entity, privilege levels of connected entities, privilege levels of related entities, privilege levels of the logged in users, number of clients, or additional metadata.
  - 11. The media of claim 8, wherein the actions of the monitoring engine further comprise:
    - modifying the device relation model based on one or more of additions or removals of the plurality of entities in the network; and
      
      modifying the one or more privilege levels associated with the plurality of entities based on the one or more modifications to the device relation model.
  - 12. The media of claim 8, wherein the anomaly engine performs actions, further comprising:
    - querying one or more databases to obtain information about the one or more interactions, wherein the one or more databases are separate from the anomaly engine and a network monitoring computer; and
      
      further determining the one or more escalation events based on the obtained information.
  - 13. The media of claim 8, wherein the monitoring engine performs actions, further comprising:
    - determining one or more network topology characteristics based on the monitored network traffic;
      
      associating one or more default privilege levels with the plurality of entities based on the one or more network topology characteristics.
  - 14. The media of claim 8, wherein the inference engine performs further actions including:
    - associating the plurality of entities with metadata that includes one or more of user identities, user types, read/write accessibility, application types, direction of relation, age of relation, or frequency of activity; and
      
      modifying the one or more privilege levels based on the metadata.

15. A system for monitoring network traffic in a network:
- one or more network computers, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  instantiating a monitoring engine to perform actions, including;
  
  monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics, wherein the entities include one or more of a source entity and one or more of a target entity; and
  
  providing a device relation model based on the plurality of entities, the network traffic, and the one or more metrics; and
  
  instantiating an inference engine to perform actions, including;
  
  associating the plurality of entities with one or more privilege levels based on the device relation model and the one or more metrics, wherein a value for each of the one or more privilege levels is based on one or more of an amount of access or an amount of control that the one or more source entities exert over the one or more target entities; and
  
  increasing the one or more privilege levels for a source entity based on one or more metric values that are associated with the one or more target entities that are linked to the source entity; and
  
  instantiating an anomaly engine to perform actions, including;
  
  determine one or more interactions between the one or more source entities and the one or more target entities based on the monitored network traffic;
  
  generating one or more escalation events based on the one or more interactions and the one or more privilege levels associated with the one or more source entities and the one or more target entities, wherein the one or more interactions or the one or more target entities are associated with a privilege level that exceeds the one or more privilege levels associated with the one or more source entities; and
  
  providing the one or more escalation events to one or more users; and
  
  one or more client computers, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing one or more portions of the network traffic.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the anomaly engine performs actions, further comprising:
    - determining one or more application protocols that are associated with the one or more interactions based on the monitored network traffic; and
      
      determining a privilege level that is associated with each of the one or more interactions that are associated with the one or more determined application protocols.
  - 17. The system of claim 15, wherein the actions of the inference engine further comprise, modifying each privilege level associated with each entity based on one or more characteristics including one or more of resources accessed by an entity, resources provided by the entity, users that access the entity, users that are logged into the entity, an uptime of the entity, privilege levels of connected entities, privilege levels of related entities, privilege levels of the logged in users, number of clients, or additional metadata.
  - 18. The system of claim 15, wherein the actions of the monitoring engine further comprise:
    - modifying the device relation model based on one or more of additions or removals of the plurality of entities in the network; and
      
      modifying the one or more privilege levels associated with the plurality of entities based on the one or more modifications to the device relation model.
  - 19. The system of claim 15, wherein the anomaly engine performs actions, further comprising:
    - querying one or more databases to obtain information about the one or more interactions, wherein the one or more databases are separate from the anomaly engine and a network monitoring computer; and
      
      further determining the one or more escalation events based on the obtained information.
  - 20. The system of claim 15, wherein the monitoring engine performs actions, further comprising:
    - determining one or more network topology characteristics based on the monitored network traffic;
      
      associating one or more default privilege levels with the plurality of entities based on the one or more network topology characteristics.

21. A network computer for monitoring communication over a network between two or more computers, comprising:
- a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  instantiating a monitoring engine to perform actions, including;
  
  monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics, wherein the entities include one or more of a source entity and one or more of a target entity; and
  
  providing a device relation model based on the plurality of entities, the network traffic, and the one or more metrics; and
  
  instantiating an inference engine to perform actions, including;
  
  associating the plurality of entities with one or more privilege levels based on the device relation model and the one or more metrics, wherein a value for each of the one or more privilege levels is based on one or more of an amount of access or an amount of control that the one or more source entities exert over the one or more target entities; and
  
  increasing the one or more privilege levels for a source entity based on one or more metric values that are associated with the one or more target entities that are linked to the source entity; and
  
  instantiating an anomaly engine to perform actions, including;
  
  determine one or more interactions between the one or more source entities and the one or more target entities based on the monitored network traffic;
  
  generating one or more escalation events based on the one or more interactions and the one or more privilege levels associated with the one or more source entities and the one or more target entities, wherein the one or more interactions or the one or more target entities are associated with a privilege level that exceeds the one or more privilege levels associated with the one or more source entities; and
  
  providing the one or more escalation events to one or more users.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The network computer of claim 21, wherein the anomaly engine performs actions, further comprising:
    - determining one or more application protocols that are associated with the one or more interactions based on the monitored network traffic; and
      
      determining a privilege level that is associated with each of the one or more interactions that are associated with the one or more determined application protocols.
  - 23. The network computer of claim 21, wherein the actions of the inference engine further comprise, modifying each privilege level associated with each entity based on one or more characteristics including one or more of resources accessed by an entity, resources provided by the entity, users that access the entity, users that are logged into the entity, an uptime of the entity, privilege levels of connected entities, privilege levels of related entities, privilege levels of the logged in users, number of clients, or additional metadata.
  - 24. The network computer of claim 21, wherein the actions of the monitoring engine further comprise:
    - modifying the device relation model based on one or more of additions or removals of the plurality of entities in the network; and
      
      modifying the one or more privilege levels associated with the plurality of entities based on the one or more modifications to the device relation model.
  - 25. The network computer of claim 21, wherein the anomaly engine performs actions, further comprising:
    - querying one or more databases to obtain information about the one or more interactions, wherein the one or more databases are separate from the anomaly engine and a network monitoring computer; and
      
      further determining the one or more escalation events based on the obtained information.
  - 26. The network computer of claim 21, wherein the monitoring engine performs actions, further comprising:
    - determining one or more network topology characteristics based on the monitored network traffic;
      
      associating one or more default privilege levels with the plurality of entities based on the one or more network topology characteristics.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Wu, Xue Jun, Chen, Songqian, Kazakova, Olga
Primary Examiner(s)
Mehrmanesh, Amir

Application Number

US15/984,197
Time in Patent Office

165 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/245   Query processing

H04L 41/046   comprising network manageme...

H04L 41/12   Discovery or management of ...

H04L 43/062   related to network traffic

H04L 43/12   Network monitoring probes

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04W 12/121   Wireless intrusion detectio...

Privilege inference and monitoring based on network behavior

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

202 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Privilege inference and monitoring based on network behavior

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

202 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links