US 12,407,718 B2
Incremental causal graph learning for attack forensics in computer systems
Zhengzhang Chen, Princeton Junction, NJ (US); Haifeng Chen, West Windsor, NJ (US); and Dongjie Wang, Orlando, FL (US)
Assigned to NEC Corporation, Tokyo (JP)
Filed by NEC Laboratories America, Inc., Princeton, NJ (US)
Filed on Jul. 26, 2023, as Appl. No. 18/359,389.
Claims priority of provisional application 63/450,989, filed on Mar. 9, 2023.
Claims priority of provisional application 63/442,155, filed on Jan. 31, 2023.
Claims priority of provisional application 63/397,955, filed on Aug. 15, 2022.
Prior Publication US 2024/0214414 A1, Jun. 27, 2024
Int. Cl. H04L 9/40 (2022.01); H04L 41/0631 (2022.01); H04L 41/16 (2022.01)
CPC H04L 63/145 (2013.01) [H04L 41/0631 (2013.01); H04L 41/16 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computer-implemented method for identifying attack origins, the method comprising:
detecting a trigger point from entity metrics data and key performance indicator (KPI) data;
generating a learned causal graph by fusing a state-invariant causal graph with a state-dependent causal graph;
backtracking from an attack detection point, via an incident backtrack and system recovery component, by using the learned causal graph to identify an attack origin in response to an intrusion or an attack occurring; and
displaying data relating to the attack origin on a visualization display for user analysis.