System and method for detecting lateral movement and data exfiltration

US 10,326,778 B2
Filed: 11/09/2015
Issued: 06/18/2019
Est. Priority Date: 02/24/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more devices on a network to;

monitor network data transmitted over the network between a plurality of internal devices on the network and between at least one of the plurality of internal devices and at least one external device outside the network;

detect a first order indicator of compromise on the network based on the network data transmitted over the network;

detect one or more indicators of a compromised entity detected by a honey host,the compromised entity, detected by the honey host, being one of the plurality of internal devices;

detect a second order indicator of compromise on the network based on the network data transmitted over the network;

correlate the one or more indicators of the compromised entity detected by the honey host, the first order indicator of compromise on the network, and the second order indicator of compromise on the network;

generate a risk score for the network data based on correlating the one or more indicators of the compromised entity detected by the honey host, the first order indicator of compromise on the network, and the second order indicator of compromise on the network;

generate at least one incident alert based on comparing the risk score and a threshold; and

quarantine the network data based on the network data being identified as suspicious or malware.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system configured to detect a threat activity on a network. The system including a digital device configured to detect a first order indicator of compromise on a network, detect a second order indicator of compromise on the network, generate a risk score based on correlating said first order indicator of compromise on the network with the second order indicator of compromise on said network, and generate at least one incident alert based on comparing the risk score to a threshold.

126 Citations

26 Claims

1. A system comprising:
- one or more devices on a network to;
  
  monitor network data transmitted over the network between a plurality of internal devices on the network and between at least one of the plurality of internal devices and at least one external device outside the network;
  
  detect a first order indicator of compromise on the network based on the network data transmitted over the network;
  
  detect one or more indicators of a compromised entity detected by a honey host,the compromised entity, detected by the honey host, being one of the plurality of internal devices;
  
  detect a second order indicator of compromise on the network based on the network data transmitted over the network;
  
  correlate the one or more indicators of the compromised entity detected by the honey host, the first order indicator of compromise on the network, and the second order indicator of compromise on the network;
  
  generate a risk score for the network data based on correlating the one or more indicators of the compromised entity detected by the honey host, the first order indicator of compromise on the network, and the second order indicator of compromise on the network;
  
  generate at least one incident alert based on comparing the risk score and a threshold; and
  
  quarantine the network data based on the network data being identified as suspicious or malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, where the one or more devices are further to:
    - generate a behavior profile for at least one network device.
  - 3. The system of claim 2, where the one or more devices, when generating the behavior profile, are to:
    - generate the behavior profile based on one or more activities at multiple levels.
  - 4. The system of claim 3, where the one or more activities at multiple levels includes network traffic patterns across a protocol stack.
  - 5. The system of claim 3, where the one or more activities at multiple levels includes network traffic patterns between two or more network devices.
  - 6. The system of claim 3, where the one or more activities at multiple levels includes network traffic patterns based on applications.
  - 7. The system of claim 2, where the one or more devices, when generating the behavior profile, are to:
    - generate the behavior profile based on one or more heuristics.
  - 8. The system of claim 2, where the one or more devices, when generating the behavior profile, are to:
    - generate the behavior profile based on machine learning.
  - 9. The system of claim 2, where the one or more devices, when generating the behavior profile, are to:
    - generate the behavior profile based on one or more behavior patterns of at least one endpoint device.
  - 10. The system of claim 2, where the one or more devices, when generating the behavior profile, are to:
    - generate the behavior profile based on one or more behavior patterns of an end-user device.
  - 11. The system of claim 2, where the one or more devices are further to:
    - detect real-time observations of the at least one network device,compare the real-time observations and the behavior profile for the at least one network device, andgenerate one or more anomalies based on the comparison of the real-time observations and the behavior profile for the at least one network device.

12. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors, cause the one or more processors to;
  
  monitor network data transmitted over a network between a plurality of internal devices on the network and between at least one of the plurality of internal devices and at least one external device outside the network;
  
  detect a first order indicator of compromise on the network based on the network data transmitted over the network;
  
  detect one or more indicators of a compromised entity detected by a honey host,the compromised entity, detected by the honey host, being one of the plurality of internal devices;
  
  detect a second order indicator of compromise on the network based on the network data transmitted over the network;
  
  correlate the one or more indicators of the compromised entity detected by the honey host, the first order indicator of the compromise on the network, and the second order indicator of the compromise on the network;
  
  generate a risk score for the network data based on correlating the one or more indicators of the compromised entity detected by the honey host, the first order indicator of compromise on the network, and the second order indicator of compromise on the network;
  
  generate at least one incident alert based on comparing the risk score and a threshold; and
  
  quarantine the network data based on the network data being identified as suspicious or malware.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The non-transitory computer-readable medium of claim 12, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - generate a behavior profile for at least one network device.
  - 14. The non-transitory computer-readable medium of claim 13, where the one or more instructions, that cause the one or more processors to generate the behavior profile, cause the one or more processors to:
    - generate the behavior profile based on one or more activities at multiple levels.
  - 15. The non-transitory computer-readable medium of claim 14, where the one or more activities at multiple levels includes network traffic patterns across a protocol stack.
  - 16. The non-transitory computer-readable medium of claim 12, where the one or more instructions, that cause the one or more processors to detect the first order indicator of compromise, cause the one or more processors to:
    - determine traffic patterns for at least one of;
      
      address resolution protocol (“
      
      ARP”
      
      ) traffic;
      
      dynamic host configuration protocol (“
      
      DHCP”
      
      ) traffic;
      
      Internet control message protocol (“
      
      ICMP”
      
      ) traffic between media access control (“
      
      MAC”
      
      ) addresses;
      
      orICMP traffic between Internet protocol (“
      
      IP”
      
      ) addresses.
  - 17. The non-transitory computer-readable medium of claim 12, where the one or more indicators of the compromised entity detected by the honey host includes at least one of:
    - an attempt to prove the honey host for open ports to gain access to the honey host, oran attempt to examine or move data on the honey host.
  - 18. The non-transitory computer-readable medium of claim 12, where the one or more instructions, that cause the one or more processors to generate the risk score, cause the one or more processors to:
    - generate the risk score based on;
      
      an asset value assigned to a network device or an end-user device; and
      
      a current security posture of the network device or the end-user device.

19. A method, comprising:
- monitoring, by a device, network data transmitted over a network between a plurality of internal devices on the network and between at least one of the plurality of internal devices and at least one external device outside the network;
  
  detecting, by the device, a first order indicator of compromise on the network based on the network data transmitted over the network;
  
  detecting, by the device, one or more indicators of a compromised entity detected by a honey host,the compromised entity, detected by the honey host, being one of the plurality of internal devices;
  
  detecting, by the device, a second order indicator of compromise on the network based on the network data transmitted over the network;
  
  correlating, by the device, the one or more indicators of the compromised entity detected by the honey host, the first order indicator of compromise on the network, and the second order indicator of compromise;
  
  generating, by the device, a risk score for the network data based on correlating the one or more indicators of the compromised entity detected by the honey host, the first order indicator of compromise on the network, and the second order indicator of compromise on the network;
  
  generating, by the device, at least one incident alert based on comparing the risk score and a threshold; and
  
  quarantining, by the device, the network data based on the network data being identified as suspicious or malware.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The method of claim 19, further comprising:
    - generating a behavior profile for at least one end-user device under control of a network user.
  - 21. The method of claim 20, wherein generating the behavior profile comprises:
    - generating the behavior profile based an authorization of the network user to use the at least one end-user device on the network and one or more activities the network user performs on the at least one end-user device.
  - 22. The method of claim 20, further comprising:
    - detecting real-time observations of the at least one end-user device;
      
      comparing the real-time observations and the behavior profile for the at least one end-user device; and
      
      generating one or more anomalies based on the comparison of the real-time observations and the behavior profile for the at least one end-user device.
  - 23. The method of claim 19, further comprising:
    - generating a behavior profile for at least one network device.
  - 24. The method of claim 23, wherein generating the behavior profile comprises:
    - generating the behavior profile based on one or more activities at multiple levels.
  - 25. The method of claim 23, further comprising:
    - detecting real-time observations of the at least one network device;
      
      comparing the real-time observations and the behavior profile for the at least one network device; and
      
      generating one or more anomalies based on the comparison of the real-time observations and the behavior profile for the at least one network device.
  - 26. The method of claim 19, wherein the compromised entity detected by the honey host includes at least one of:
    - an application on the network;
      
      ora rogue user on the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyphort Inc. (Juniper Networks Incorporated)
Original Assignee
Cyphort Inc. (Juniper Networks Incorporated)
Inventors
Gong, Fengmin, Burt, Alexander, Jas, Frank
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Chao, Michael W

Application Number

US14/936,612
Publication Number

US 20160065601A1
Time in Patent Office

1,317 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/561   Virus type analysis

G06F 21/564   by virus signature recognition

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

System and method for detecting lateral movement and data exfiltration

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

126 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting lateral movement and data exfiltration

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

126 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links