US 11,658,992 B2
Lateral movement candidate detection in a computer network
Satheesh Kumar Joseph Durairaj, Dublin, CA (US); Stanislav Miskovic, San Jose, CA (US); and Georgios Apostolopoulos, San Jose, CA (US)
Assigned to SPLUNK INC., San Francisco, CA (US)
Filed by Splunk Inc., San Francisco, CA (US)
Filed on Jun. 17, 2021, as Appl. No. 17/350,689.
Application 17/350,689 is a continuation of application No. 16/573,944, filed on Sep. 17, 2019, granted, now 11,044,264.
Application 16/573,944 is a continuation of application No. 15/582,645, filed on Apr. 29, 2017, granted, now 10,462,169, issued on Oct. 29, 2019.
Prior Publication US 2021/0314337 A1, Oct. 7, 2021
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); G06F 16/901 (2019.01); G06N 5/02 (2023.01); G06F 21/31 (2013.01); G06N 20/00 (2019.01); H04L 41/142 (2022.01); H04L 41/14 (2022.01); H04L 41/22 (2022.01); G06N 5/022 (2023.01); G06N 7/00 (2023.01)
CPC H04L 63/1425 (2013.01) [G06F 16/9024 (2019.01); G06N 5/022 (2013.01); G06N 20/00 (2019.01); H04L 41/142 (2013.01); H04L 41/145 (2013.01); H04L 41/22 (2013.01); G06N 7/005 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method, comprising:
accessing, by a computer system, event data indicative of events related to a plurality of entities associated with a network;
accessing a data store that includes data associated with selected events, wherein the selected events are indicative of lateral movement, and wherein each of the selected events has an associated weight factor;
identifying, by the computer system, based on the event data, lateral movement candidate entities, wherein identifying the lateral movement candidate entities comprises, for each entity of the plurality of entities:
identifying a subset of the event data that is associated with the entity;
obtaining, based on the data store access, a weight factor for each event of the subset of event data;
calculating an entity weight factor for the entity based on the weight factor for each event; and
when the entity weight factor is above a threshold, identifying the entity as a lateral movement candidate entity;
creating, by the computer system, based on the event data, a graph data structure that is indicative of a sequence of events associated with the lateral movement candidate entities; and
analyzing, by the computer system, the graph data structure to identify a potential security threat by identifying a subset of the lateral movement candidate entities that are associated with a particular observed sequence of events in the plurality of observed sequences of events.