Graph-based detection of network security issues

12206,693

17/745482

May 16, 2022

The disclosed techniques relate to a graph-based network security analytic framework to combine multiple sources of information and security knowledge in order to detect risky behaviors and potential threats. In some examples, the input can be anomaly events or simply regular events. The entities associated with the activities can be grouped into smaller time units, e.g., per day. The riskiest days of activity can be found by computing a risk score for each day and according to the features in the day. A graph can be built with links between the time units. The links can also receive scoring based on a number of factors. The resulting graph can be compared with known security knowledge for adjustments. Threats can be detected based on the adjusted risk score for a component (i.e., a group of linked entities) as well as a number of other factors.

Splunk Inc. (San Francisco, CA, US)

Cisco Technology, Inc. (San Jose, CA, US)

1. A method comprising: accessing a relationship graph in which entities associated with an information technology network are represented as nodes and relationships among the nodes are represented as links; assigning the nodes in the relationship graph to groups to form a plurality of groups, each group of the plurality of groups including nodes associated with activities that occurred within a same unit of time; constructing links between nodes across different groups of the plurality of groups, to form a chain of linked nodes, the chain of linked nodes forming a component; computing a score for the component, wherein the score is indicative of a level of interest associated with nodes attached to a given link, and wherein each node had been assigned an anomaly score from a previous data analytic stage; identifying the component for security scrutiny based on the computed score; and performing a network security related action on the identified component.

2. The method of claim 1 , further comprising: adjusting the score for the component based on comparing events underlying the component with a pattern of interest, wherein the pattern of interest identifies an expected temporal order and/or logical relationship in underlying events for the component to be of interest.

3. The method of claim 2 , wherein the compared events comprise events that have been earmarked as anomalies, and wherein each node is assigned an anomaly score from a previous data analytic stage.

4. The method of claim 1 , wherein the relationship graph is a subset of a composite relationship graph that includes edges representing a plurality of anomalous activities conducted by entities.

5. The method of claim 1 , further comprising: determining a link score for the component.

6. The method of claim 1 , further comprising: determining a link score for each link in the component, based on a number of common nodes between the groups with which the component is associated.

7. The method of claim 1 , further comprising: determining a link score for the component, based on a distance in time between the groups with which the component is associated.

8. The method of claim 1 , further comprising: determining a link score for the component, based on an anomaly score of each node in the component.

9. The method of claim 1 , further comprising: determining a link score for each link in the component, wherein the score for the component is based on the link score of the link that connects the nodes in the component.

10. The method of claim 1 , further comprising: creating a new graph using the component.

11. The method of claim 1 , further comprising: creating a new graph using the component, wherein the new graph includes nodes with respective links and a corresponding group, and wherein the nodes in the new graph are coupled to underlying events so that, responsive to a request, the underlying events are output as supporting evidence.

12. The method of claim 1 , further comprising: before assigning the nodes in the relationship graph to groups, filtering the nodes and links in the relationship graph by removing nodes that include a whitelisted entity.

13. The method of claim 1 , further comprising: before assigning the nodes in the relationship graph to groups, filtering the nodes and links in the relationship graph by removing nodes that include an entity having more than a threshold number of anomaly links to other entities.

14. A computer system comprising: a processor; and a communication device, operatively coupled to the processor, through which to receive event data indicative of activity of entities associated with an information technology network; wherein the processor is configured to perform operations including: accessing a relationship graph in which the entities associated with the information technology network are represented as nodes and relationships among the nodes are represented as links; assigning the nodes in the relationship graph to groups to form a plurality of groups, each group of the plurality of groups including nodes associated with activities that occurred within a same unit of time; constructing links between nodes across different groups of the plurality of groups, to form a chain of linked nodes, the chain of linked nodes forming a component; computing a score for the component, wherein the score is indicative of a level of interest associated with nodes attached to a given link, and wherein each node had been assigned an anomaly score from a previous data analytic stage; identifying the component for security scrutiny based on the computed score; and performing a network security related action on the identified component.

15. The computer system of claim 14 , wherein said operations further include: adjusting the score for the component based on comparing events underlying the component with a pattern of interest, wherein the pattern of interest identifies an expected temporal order and/or logical relationship in underlying events for the component to be of interest.

16. The computer system of claim 15 , wherein the compared events that have been earmarked as anomalies, and wherein each node is assigned an anomaly score from a previous data analytic stage.

17. A non-transitory machine-readable storage medium for use in a processing system, the non-transitory machine-readable storage medium storing instructions, execution of which in the processing system causes the processing system to perform operations comprising: accessing a relationship graph in which entities associated with an information technology network are represented as nodes and relationships among the nodes are represented as links; assigning the nodes in the relationship graph to groups to form a plurality of groups, each group of the plurality of groups including nodes associated with activities that occurred within a same unit of time; constructing links between nodes across different groups of the plurality of groups, to form a chain of linked nodes, the chain of linked nodes forming a component; computing a score for the component, wherein the score is indicative of a level of interest associated with nodes attached to a given link, and wherein each node had been assigned an anomaly score from a previous data analytic stage; identifying the component for security scrutiny based on the computed score; and performing a network security related action on the identified component.

18. The non-transitory machine-readable storage medium of claim 17 , said operations further including: determining a link score for the component.

19. The non-transitory machine-readable storage medium of claim 17 , said operations further including: determining a link score for each link in the component, based on a number of common nodes between the groups with which the component is associated.

20. The non-transitory machine-readable storage medium of claim 17 , further comprising: determining a link score for the component, based on an anomaly score of each node in the component.

7555523 June 2009 Hartmann
8555388 October 2013 Wang et al.
9015843 April 2015 Griffin et al.
9027127 May 2015 Soldo et al.
9055012 June 2015 Ehrlich et al.
9166999 October 2015 Kulkarni et al.
9202052 December 2015 Fang et al.
9231962 January 2016 Yen et al.
9356950 May 2016 Vissamsetty et al.
9407652 August 2016 Kesin
9516053 December 2016 Muddu et al.
9558056 January 2017 Sasturkar
9558346 January 2017 Kolman et al.
9729549 August 2017 Davis
9860257 January 2018 Kumar et al.
10009358 June 2018 Xie
10015182 July 2018 Shintre
10069849 September 2018 Muddu et al.
10389738 August 2019 Muddu et al.
10771345 September 2020 Louca et al.
2005/0278703 December 2005 Lo et al.
2006/0288415 December 2006 Wong
2010/0241828 September 2010 Yu et al.
2011/0055921 March 2011 Narayanaswamy et al.
2011/0202391 August 2011 Fogel et al.
2012/0041901 February 2012 Zhao
2012/0180126 July 2012 Liu et al.
2012/0254398 October 2012 Thomas et al.
2013/0133052 May 2013 Davis
2013/0152057 June 2013 Ke et al.
2013/0191887 July 2013 Davis
2013/0318236 November 2013 Coates et al.
2013/0318604 November 2013 Coates et al.
2014/0074817 March 2014 Neels et al.
2014/0101763 April 2014 Harlacher et al.
2014/0165207 June 2014 Engel et al.
2014/0222997 August 2014 Mermoud et al.
2014/0282871 September 2014 Rowland et al.
2015/0040231 February 2015 Oliphant et al.
2015/0047026 February 2015 Neil et al.
2015/0121518 April 2015 Shmueli et al.
2015/0205954 July 2015 Jou et al.
2015/0229662 August 2015 Hitt et al.
2015/0235154 August 2015 Utschig
2015/0244732 August 2015 Golshan et al.
2015/0256413 September 2015 Du et al.
2015/0341379 November 2015 Lefebvre et al.
2015/0355957 December 2015 Steiner et al.
2015/0373039 December 2015 Wang
2015/0373043 December 2015 Wang et al.
2015/0379083 December 2015 Lang et al.
2015/0379425 December 2015 Dirac et al.
2015/0379428 December 2015 Dirac et al.
2016/0034529 February 2016 Nguyen et al.
2016/0057159 February 2016 Yin et al.
2016/0078361 March 2016 Brueckner et al.
2016/0132787 May 2016 Drevo et al.
2016/0147583 May 2016 Ben Simhon
2016/0191559 June 2016 Mhatre et al.
2016/0219066 July 2016 Vasseur
2016/0253232 September 2016 Puri et al.
2016/0269424 September 2016 Chandola et al.
2016/0300142 October 2016 Feller et al.
2016/0321265 November 2016 Cevahir
2016/0330226 November 2016 Chen
2016/0358099 December 2016 Sturlaugson et al.
2016/0358103 December 2016 Bowers et al.
2016/0359872 December 2016 Yadav
2017/0048270 February 2017 Boyadjiev et al.
2017/0063886 March 2017 Muddu et al.
2017/0063887 March 2017 Iliofotou et al.
2017/0063888 March 2017 Zadeh et al.
2017/0063889 March 2017 Iliofotou et al.
2017/0063890 March 2017 Tryfonas et al.
2017/0063894 March 2017 Tryfonas et al.
2017/0063909 March 2017 Tryfonas et al.
2017/0063910 March 2017 Muddu et al.
2017/0063911 March 2017 Muddu et al.
2017/0126712 May 2017 Crabtree
2017/0134415 May 2017 Tryfonas et al.
2017/0192782 July 2017 Valentine et al.
2017/0192872 July 2017 Awad et al.
2017/0279844 September 2017 Bower et al.
2017/0288979 October 2017 Yoshihira et al.
2017/0295193 October 2017 Yang
2017/0324759 November 2017 Puri
2017/0353480 December 2017 Gao et al.
2018/0027006 January 2018 Zimmermann
2018/0054452 February 2018 Muddu et al.
2018/0198805 July 2018 Vejman et al.
2018/0219888 August 2018 Apostolopoulos
2018/0219894 August 2018 Crabtree
2018/0288079 October 2018 Muddu et al.
2018/0302423 October 2018 Muddu et al.
2018/0351981 December 2018 Muddu et al.
2018/0367551 December 2018 Mudou et al.
2019/0124104 April 2019 Apostolopoulos
2019/0327251 October 2019 Muddu et al.
2020/0021607 January 2020 Muddu et al.
2020/0228558 July 2020 Apostolopoulos
2023/0053182 February 2023 Bertiger
2023/0308464 September 2023 Dong
2016163903 October 2016

“Palantir Cyber Intelligence: An End-to-End Analysis and Knowledge Management Platform”, http://web.archive.org/web/20140821212114/http://www.palantir.com/wp-assets/wp-content/uploads/2014/03/Solution-Overview_palantier-Cyber, Aug. 21, 2014, 2 pages. cited by applicant
“Palantir Cybermesh”, retrieved online via url: http://web.archive.org/web/20140821212016/http://www.palantir.com/wp-assets/media/capabilites-perspectives/Palantir-Cybermesh.pdf, Aug. 21, 2014, 5 pages. cited by applicant
Palantir Technologies, Product Brochure for “Palantir Cyber,” 2013, 9 pages. cited by applicant
Boora, N.K. , et al., “Efficient Algorithms for Intrusion Detection”, In: Ghosh R.K., Mohanty H. (eds) Distributed computing and Internet Technology; ICDCIT 2004; Lecture Notes in Computer Science, vol. 3347; Springer, Berlin, Heidelberg, 2004, pp. 346-352. cited by applicant
Ranshous, Stephen , et al., “Anomaly detection in dynamic networks: a survey”, WIREs Computational Statistics; vol. 7, May/Jun. 2015, pp. 223-247. cited by applicant

edspgr.12206693