Privilege inference and monitoring based on network behavior

US 10,277,618 B1
Filed: 10/29/2018
Issued: 04/30/2019
Est. Priority Date: 05/18/2018
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more network computers perform the method comprising:

instantiating a monitoring engine to perform actions, including;

monitoring network traffic associated with a plurality of entities in one or more networks; and

providing a device relation model based on the network traffic, the plurality of entities, and the one or more metrics based on the monitored network traffic; and

instantiating an inference engine to perform actions, including;

associating the plurality of entities with one or more privilege levels based on one or more device relation models and the one or more metrics; and

increasing the one or more privilege levels for a source entity based on one or more metric values that are associated with one or more target entities that are linked to the source entity; and

instantiating an anomaly engine to perform actions, including;

determining one or more interactions between one or more source entities and the one or more target entities;

providing one or more escalation events to one or more users based on the one or more interactions and the one or more privilege levels associated with the one or more source entities; and

employing related credential information employed with one or more different applications having related activity from the one or more other activities to identify one or more sources of privilege escalation.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to monitoring network traffic. A monitoring engine may monitor network traffic associated with entities in one or more networks. A device relation model may be provided based on the entities and the network traffic. An inference engine associate the entities with privilege levels based on the device relation model based on an amount of access or an amount of control that source entities exert over the target entities. An anomaly engine may determine one or more interactions between the source entities and the target entities based on the monitored network traffic. The anomaly engine may generate escalation events based on the interactions associated with the source entities and the target entities where the target entities have a higher privilege level than the source entities. The anomaly engine may provide the escalation events to one or more users.

252 Citations

20 Claims

1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more network computers perform the method comprising:
- instantiating a monitoring engine to perform actions, including;
  
  monitoring network traffic associated with a plurality of entities in one or more networks; and
  
  providing a device relation model based on the network traffic, the plurality of entities, and the one or more metrics based on the monitored network traffic; and
  
  instantiating an inference engine to perform actions, including;
  
  associating the plurality of entities with one or more privilege levels based on one or more device relation models and the one or more metrics; and
  
  increasing the one or more privilege levels for a source entity based on one or more metric values that are associated with one or more target entities that are linked to the source entity; and
  
  instantiating an anomaly engine to perform actions, including;
  
  determining one or more interactions between one or more source entities and the one or more target entities;
  
  providing one or more escalation events to one or more users based on the one or more interactions and the one or more privilege levels associated with the one or more source entities; and
  
  employing related credential information employed with one or more different applications having related activity from the one or more other activities to identify one or more sources of privilege escalation.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the anomaly engine performs further actions, comprising:
    - determining each of the one or more users that is associated with one or more privilege policies; and
      
      employing the one or more privilege policies to determine which of the one or more escalation events to provide to each of the one or more users.
  - 3. The method of claim 1, wherein the anomaly engine performs further actions, comprising:
    - employing one or more responses by the one or more users to the one or more provided escalation events to modify one or more privilege policies associated with the one or more users.
  - 4. The method of claim 1, further comprising:
    - employing the monitoring engine to perform further actions including discovering a new entity in the one or more networks based on privilege activity monitoring; and
      
      employing the inference engine to perform further actions, including;
      
      adding the new entity to a dependency graph as a critical entity based on one or more of network conditions, entity behavior, or entity characteristics; and
      
      adding one or more inferred privilege levels to the critical entity in the dependency graph based on one or more of privilege activity information or privilege relation information.
  - 5. The method of claim 1, further comprising:
    - employing the monitoring engine to perform further actions including discovering a new entity in the one or more networks based on protocol analysis and identifying remote access behavior directed to the one or more entities; and
      
      employing the inference engine to perform further actions, including;
      
      adding the new entity to an administration graph based on one or more of relationship information detected during administrative activities by the new entity; and
      
      adding one or more inferred privilege levels to the new entity in the administration graph based on one or more of privilege activity information or privilege relation information.
  - 6. The method of claim 1, wherein the anomaly engine performs further actions, comprising:
    - traversing the one or more device relation models to trace network flows that pass through the one or more entities; and
      
      determine network traffic flows that are associated with one or more different applications having related activity from one or more other entities.

7. A system for monitoring network traffic in a network:
- one or more network computers, comprising;
  
  one or more memories that store instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  instantiating a monitoring engine to perform actions, including;
  
  monitoring network traffic associated with a plurality of entities in one or more networks; and
  
  providing a device relation model based on the network traffic, the plurality of entities, and the one or more metrics based on the monitored network traffic; and
  
  instantiating an inference engine to perform actions, including;
  
  associating the plurality of entities with one or more privilege levels based on one or more device relation models and the one or more metrics; and
  
  increasing the one or more privilege levels for a source entity based on one or more metric values that are associated with one or more target entities that are linked to the source entity; and
  
  instantiating an anomaly engine to perform actions, including;
  
  determining one or more interactions between one or more source entities and the one or more target entities;
  
  providing one or more escalation events to one or more users based on the one or more interactions and the one or more privilege levels associated with the one or more source entities; and
  
  employing related credential information employed with one or more different applications having related activity from the one or more other activities to identify one or more sources of privilege escalation.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the anomaly engine performs further actions, comprising:
    - determining each of the one or more users that is associated with one or more privilege policies; and
      
      employing the one or more privilege policies to determine which of the one or more escalation events to provide to each of the one or more users.
  - 9. The system of claim 7, wherein the anomaly engine performs further actions, comprising:
    - employing one or more responses by the one or more users to the one or more provided escalation events to modify one or more privilege policies associated with the one or more users.
  - 10. The system of claim 7, further comprising:
    - employing the monitoring engine to perform further actions including discovering a new entity in the one or more networks based on privilege activity monitoring; and
      
      employing the inference engine to perform further actions, including;
      
      adding the new entity to a dependency graph as a critical entity based on one or more of network conditions, entity behavior, or entity characteristics; and
      
      adding one or more inferred privilege levels to the critical entity in the dependency graph based on one or more of privilege activity information or privilege relation information.
  - 11. The system of claim 7, further comprising:
    - employing the monitoring engine to perform further actions including discovering a new entity in the one or more networks based on protocol analysis and identifying remote access behavior directed to the one or more entities; and
      
      employing the inference engine to perform further actions, including;
      
      adding the new entity to an administration graph based on one or more of relationship information detected during administrative activities by the new entity; and
      
      adding one or more inferred privilege levels to the new entity in the administration graph based on one or more of privilege activity information or privilege relation information.
  - 12. The system of claim 7, wherein the anomaly engine performs further actions, comprising:
    - traversing the one or more device relation models to trace network flows that pass through the one or more entities; and
      
      determine network traffic flows that are associated with one or more different applications having related activity from one or more other entities.

13. A processor readable non-transitory storage media that includes instructions for monitoring network traffic using one or more network monitoring computers, wherein execution of the instructions by the one or more network computers perform the method comprising:
- instantiating a monitoring engine to perform actions, including;
  
  monitoring network traffic associated with a plurality of entities in one or more networks; and
  
  providing a device relation model based on the network traffic, the plurality of entities, and the one or more metrics based on the monitored network traffic; and
  
  instantiating an inference engine to perform actions, including;
  
  associating the plurality of entities with one or more privilege levels based on one or more device relation models and the one or more metrics; and
  
  increasing the one or more privilege levels for a source entity based on one or more metric values that are associated with one or more target entities that are linked to the source entity; and
  
  instantiating an anomaly engine to perform actions, including;
  
  determining one or more interactions between one or more source entities and the one or more target entities;
  
  providing one or more escalation events to one or more users based on the one or more interactions and the one or more privilege levels associated with the one or more source entities; and
  
  employing related credential information employed with one or more different applications having related activity from the one or more other activities to identify one or more sources of privilege escalation.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The media of claim 13, wherein the anomaly engine performs further actions, comprising:
    - determining each of the one or more users that is associated with one or more privilege policies; and
      
      employing the one or more privilege policies to determine which of the one or more escalation events to provide to each of the one or more users.
  - 15. The media of claim 13, wherein the anomaly engine performs further actions, comprising:
    - employing one or more responses by the one or more users to the one or more provided escalation events to modify one or more privilege policies associated with the one or more users.
  - 16. The media of claim 13, further comprising:
    - employing the monitoring engine to perform further actions including discovering a new entity in the one or more networks based on privilege activity monitoring; and
      
      employing the inference engine to perform further actions, including;
      
      adding the new entity to a dependency graph as a critical entity based on one or more of network conditions, entity behavior, or entity characteristics; and
      
      adding one or more inferred privilege levels to the critical entity in the dependency graph based on one or more of privilege activity information or privilege relation information.
  - 17. The media of claim 13, further comprising:
    - employing the monitoring engine to perform further actions including discovering a new entity in the one or more networks based on protocol analysis and identifying remote access behavior directed to the one or more entities; and
      
      employing the inference engine to perform further actions, including;
      
      adding the new entity to an administration graph based on one or more of relationship information detected during administrative activities by the new entity; and
      
      adding one or more inferred privilege levels to the new entity in the administration graph based on one or more of privilege activity information or privilege relation information.
  - 18. The media of claim 13, wherein the anomaly engine performs further actions, comprising:
    - traversing the one or more device relation models to trace network flows that pass through the one or more entities; and
      
      determine network traffic flows that are associated with one or more different applications having related activity from one or more other entities.

19. A network computer for monitoring communication over a network between two or more other computers, comprising:
- one or more memories that store instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  instantiating a monitoring engine to perform actions, including;
  
  providing one or more metrics for a plurality of entities in one or more networks based on monitored network traffic; and
  
  instantiating an inference engine to perform actions, including;
  
  associating the plurality of entities with one or more privilege levels based on one or more device relation models and the one or more metrics; and
  
  increasing the one or more privilege levels for a source entity based on one or more metric values that are associated with one or more target entities that are linked to the source entity; and
  
  instantiating an anomaly engine to perform actions, including;
  
  determining one or more interactions between one or more source entities and the one or more target entities; and
  
  providing one or more escalation events to one or more users based on the one or more interactions and the one or more privilege levels associated with the one or more source entities.
- View Dependent Claims (20)
- - 20. The network computer of claim 19, wherein the anomaly engine performs further actions, comprising:
    - determining each of the one or more users that is associated with one or more privilege policies; and
      
      employing the one or more privilege policies to determine which of the one or more escalation events to provide to each of the one or more users.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Wu, Xue Jun, Chen, Songqian, Kazakova, Olga
Primary Examiner(s)
Mehrmanesh, Amir

Application Number

US16/174,051
Time in Patent Office

183 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/245   Query processing

H04L 41/046   comprising network manageme...

H04L 41/12   Discovery or management of ...

H04L 43/062   related to network traffic

H04L 43/12   Network monitoring probes

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04W 12/121   Wireless intrusion detectio...

Privilege inference and monitoring based on network behavior

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

252 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Privilege inference and monitoring based on network behavior

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

252 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links