-
公开(公告)号:WO2018071356A1
公开(公告)日:2018-04-19
申请号:PCT/US2017/055826
申请日:2017-10-10
Applicant: NEC LABORATORIES AMERICA, INC.
Inventor: TANG, LuAn , ZHANG, Hengtong , CHEN, Zhengzhang , ZONG, Bo , LI, Zhichun , JIANG, Guofei , YOSHIHIRA, Kenji
CPC classification number: G06F21/554 , G06F21/55 , G06F21/60
Abstract: Methods and systems for detecting anomalous events include detecting anomalous events (42, 43) in monitored system data. An event correlation graph is generated (302) based on the monitored system data that characterizes the tendency of processes to access system targets. Kill chains are generated (310) that connect malicious events over a span of time from the event correlation graph that characterize events in an attack path over time by sorting events according to a maliciousness value and determining at least one sub-graph within the event correlation graph with an above-threshold maliciousness rank. A security management action is performed (412) based on the kill chains.
Abstract translation: 用于检测异常事件的方法和系统包括检测所监视的系统数据中的异常事件(42,43)。 基于监视的系统数据生成(302)事件关联图,表征过程访问系统目标的倾向。 通过根据恶意值对事件进行排序并确定事件相关内的至少一个子图,产生(310)从事件关联图中连接恶意事件的杀死链(310),所述事件关联图随时间表征攻击路径中的事件 图表具有高于阈值的恶意级别。 基于杀链来执行安全管理操作(412)。
-
2.发明申请CONSTRUCTING GRAPH MODELS OF EVENT CORRELATION IN ENTERPRISE SECURITY SYSTEMS 审中-公开企业安全系统中事件相关性的图形模型构建
公开(公告)号:WO2018071355A1
公开(公告)日:2018-04-19
申请号:PCT/US2017/055825
申请日:2017-10-10
Applicant: NEC LABORATORIES AMERICA, INC.
Inventor: TANG, LuAn , ZHANG, Hengtong , CHEN, Zhengzhang , ZONG, Bo , LI, Zhichun , JIANG, Guofei , YOSHIHIRA, Kenji
CPC classification number: G06F21/552 , G06F21/554
Abstract: Methods and systems for detecting anomalous events include detecting anomalous events (42,43) in monitored system data. An event correlation graph is generated (302) by determining a tendency for a first process to access a system target, include an innate tendency of the first process to access the system target, an influence of previous events from the first process, and an influence of processes other than the first process. Kill chains are generated (310) from the event correlation graph that characterize events in an attack path over time. A security management action is performed (412) based on the kill chains.
Abstract translation: 用于检测异常事件的方法和系统包括检测监测到的系统数据中的异常事件(42,43)。 通过确定第一过程访问系统目标的趋势,包括第一过程访问系统目标的先天趋势,来自第一过程的先前事件的影响以及影响第一过程的影响来生成事件相关图(302) 除第一个过程以外的过程。 从事件关联图生成(310)杀死链,表征攻击路径随时间的事件。 基于杀链来执行安全管理操作(412)。
-
Search Results
2
records
(took 0.024 seconds)
