US 11,792,211 B2
System for detecting and remediating computing system breaches using computing network traffic monitoring
Brandon Sloane, Santa Barbara, CA (US)
Assigned to BANK OF AMERICA CORPORATION, Charlotte, NC (US)
Filed by BANK OF AMERICA CORPORATION, Charlotte, NC (US)
Filed on Jan. 7, 2021, as Appl. No. 17/143,385.
Prior Publication US 2022/0217158 A1, Jul. 7, 2022
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/1416 (2013.01) [H04L 63/145 (2013.01); H04L 63/1425 (2013.01)] 18 Claims
OG exemplary drawing
 
1. A system for detecting and remediating computing system breaches using computing network traffic monitoring, the system comprising:
a memory device with computer-readable program code stored thereon;
a communication device; and
a processing device operatively coupled to the memory device and the communication device, wherein the processing device is configured to execute the computer-readable program code to:
detect a topology of one or more computing systems in a network, the one or more computing systems comprising an origin computing system and a destination computing system;
retrieve one or more historical network traffic logs from the one or more computing systems in the network;
based on the one or more historical network traffic logs, detect one or more data transfers between the origin computing system and the destination computing system;
generate a ranked list of likelihood scores for each of the one or more data transfers, the one or more data transfers comprising a first data transfer and a second data transfer, wherein the likelihood scores reflect a likelihood of lateral movement of a vector from the origin computing system to the destination computing system through the one or more data transfers, wherein generating the ranked list further comprises:
determining, based on comparing a data transfer type of the first data transfer to a data transfer type of the second data transfer, that the vector is more likely to traverse between the origin computing system and the destination computing system through the data transfer type of the first data transfer;
generating likelihood scores for the first data transfer and the second data transfer, wherein the likelihood score of the first data transfer is higher than the likelihood score of the second data transfer; and
adjusting, using machine learning, a scoring algorithm for computing the likelihood scores based on historical likelihood scores; and
based on the ranked list of likelihood scores, detect that the likelihood score of the first data transfer is above a defined threshold;
based on detecting that the likelihood score of the first data transfer is above the defined threshold, automatically implement an escalating series of remediation steps associated with the vector, wherein the escalating series of remediations steps comprises, in order, 1) applying software updates for computing systems along the first data transfer, 2) implementing a network segmentation scheme for the computing systems along the first data transfer, and 3) performing a system wipe of the computing systems along the first data transfer, wherein applying software updates reduces the likelihood score of the first data transfer by a first amount, wherein implementing the network segmentation scheme reduces the likelihood score of the first data transfer by a second amount that is greater than the first amount, and wherein performing the system wipe reduces the likelihood score of the first data transfer by a third amount greater than the second amount.