EVENT CORRELATION ACROSS HETEROGENEOUS OPERATIONS
First Claim
1. A computer-implemented method for correlating domain activity data, the method being executed by one or more processors and comprising:
- receiving first domain activity data from a first network domain and second domain activity data from a second network domain, the first domain activity data and the second domain activity data including events, alerts, or both from the respective first and second network domains;
filtering the first domain activity data and the second domain activity data to remove irrelevant activity data, based on a first set of profile data for devices in the first network domain and a second set of profile data for devices in the second network domain;
aggregating unfiltered first domain activity data and unfiltered second domain activity data;
correlating aggregated unfiltered first domain activity data and unfiltered second domain activity data to determine an attack path for an attack that occurs across the first network domain and the second network domain, based on attack signatures and profiles associated with previously identified attacks; and
generating a visualization of the attack path.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on computer storage media, for correlating domain activity data. First domain activity data from a first network domain and second domain activity data from a second network domain is received. The first domain activity data and the second domain activity data is filtered to remove irrelevant activity data, based on a first set of profile data for devices in the first network domain and a second set of profile data for devices in the second network domain. Unfiltered first and second domain activity data is aggregated. Aggregated unfiltered first and second domain activity data is correlated to determine an attack path for an attack that occurs across the first network domain and the second network domain, based on attack signatures and profiles associated with previously identified attacks. A visualization of the attack path is generated.
76 Citations
20 Claims
-
1. A computer-implemented method for correlating domain activity data, the method being executed by one or more processors and comprising:
-
receiving first domain activity data from a first network domain and second domain activity data from a second network domain, the first domain activity data and the second domain activity data including events, alerts, or both from the respective first and second network domains; filtering the first domain activity data and the second domain activity data to remove irrelevant activity data, based on a first set of profile data for devices in the first network domain and a second set of profile data for devices in the second network domain; aggregating unfiltered first domain activity data and unfiltered second domain activity data; correlating aggregated unfiltered first domain activity data and unfiltered second domain activity data to determine an attack path for an attack that occurs across the first network domain and the second network domain, based on attack signatures and profiles associated with previously identified attacks; and generating a visualization of the attack path. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system, comprising:
-
one or more processors; and a computer-readable storage device coupled to the one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for correlating domain activity data, the operations comprising; receiving first domain activity data from a first network domain and second domain activity data from a second network domain, the first domain activity data and the second domain activity data including events, alerts, or both from the respective first and second network domains; filtering the first domain activity data and the second domain activity data to remove irrelevant activity data, based on a first set of profile data for devices in the first network domain and a second set of profile data for devices in the second network domain; aggregating unfiltered first domain activity data and unfiltered second domain activity data; correlating aggregated unfiltered first domain activity data and unfiltered second domain activity data to determine an attack path for an attack that occurs across the first network domain and the second network domain, based on attack signatures and profiles associated with previously identified attacks; and generating a visualization of the attack path. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for correlating domain activity data, the operations comprising:
-
receiving first domain activity data from a first network domain and second domain activity data from a second network domain, the first domain activity data and the second domain activity data including events, alerts, or both from the respective first and second network domains; filtering the first domain activity data and the second domain activity data to remove irrelevant activity data, based on a first set of profile data for devices in the first network domain and a second set of profile data for devices in the second network domain; aggregating unfiltered first domain activity data and unfiltered second domain activity data; correlating aggregated unfiltered first domain activity data and unfiltered second domain activity data to determine an attack path for an attack that occurs across the first network domain and the second network domain, based on attack signatures and profiles associated with previously identified attacks; and generating a visualization of the attack path.
-
Specification