IND
`
`US 20190379700A1
`
`IN
`
`( 19 ) United States
`( 12 ) Patent Application Publication ( 10 ) Pub . No .: US 2019/0379700 A1
`( 43 ) Pub . Date :
`Dec. 12 , 2019
`Canzanese , JR . et al .
`
`( 54 ) SYSTEMS AND METHODS FOR ALERT
`PRIORITIZATION USING SECURITY
`EVENTS GRAPH
`( 71 ) Applicant : Netskope , Inc. , Santa Clara , CA ( US )
`( 72 ) Inventors : Raymond Joseph Canzanese , JR . ,
`Philadelphia , PA ( US ) ; Joshua David
`Batson , Sunnyvale , CA ( US )
`( 73 ) Assignee : Netskope , Inc. , Santa Clara , CA ( US )
`( 21 ) Appl . No .: 16 / 361,023
`( 22 ) Filed :
`Mar. 21 , 2019
`Related U.S. Application Data
`( 60 ) Provisional application No. 62 / 683,795 , filed on Jun .
`12 , 2018 .
`Publication Classification
`
`( 51 ) Int . Ci .
`H04L 29/06
`G06F 16/901
`G06F 16/906
`
`( 2006.01 )
`( 2006.01 )
`( 2006.01 )
`
`( 52 ) U.S. CI .
`CPC
`
`H04L 63/20 ( 2013.01 ) ; G06F 16/906
`( 2019.01 ) ; G06F 16/9024 ( 2019.01 )
`
`( 57 )
`
`ABSTRACT
`
`The technology disclosed includes a system to group secu
`rity alerts generated in a computer network and prioritize
`grouped security alerts for analysis . The system includes
`graphing entities in the computer network as entities con
`nected by one or more edges . Native scores for pending
`alerts are assigned to nodes or to edges between the nodes .
`A connection type is assigned to each edge and weights are
`assigned to edges representing relationship strength between
`the nodes . The technology disclosed includes traversing the
`graph starting at starting nodes and propagating native
`scores through and to neighboring nodes connected by the
`edges . Aggregate score for a visited node is calculated by
`accumulating propagated scores at visited nodes with their
`respective native scores . The technology disclosed forms
`clusters of connected nodes in the graph that have a respec
`tive aggregate score above a selected threshold . The clusters
`are ranking and prioritized for analysis .
`
`Enterprise Network 111
`User Endpoints 121
`Computers 131a - n
`
`Tablets 141a - n
`
`Cell Phones 151a - n
`
`Servers 161a - m
`
`-
`
`1
`
`1
`
`100
`1
`
`...
`I
`
`Internet - Based Services 117
`
`Internet - Based
`Hosting Service
`136
`
`Web Service
`137
`
`Cloud - Based
`Storage Service
`139
`
`Network ( s )
`155
`
`Security Log Data
`175
`
`Alert Prioritization Engine
`158
`
`WIZ, Inc. EXHIBIT - 1045
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 1 of 17
`
`US 2019/0379700 A1
`
`
`
`
`
`Alert Prioritization Engine 158
`
`100
`
`1
`
`.
`
`-
`
`
`
`Cloud - Based Storage Service 139
`
`
`
`Internet - Based Services 11
`
`
`
`Web Service 137
`
`
`
`Internet - Based Hosting Service 136
`
`1
`
`Network ( s )
`155
`
`
`
`
`
`Security Log Data 175
`
`FIG . 1
`
`
`
`Servers 161a - m
`
`
`
`Computers 131a - n Tablets 141a - n
`
`
`
`
`
`
`
`Cell Phones 151a - n
`
`
`
`Enterprise Network 111 User Endpoints 121
`
`
`
`
`
`

`

`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 2 of 17
`
`US 2019/0379700 A1
`
`200
`
`Alert Prioritization Engine 158
`
`Graph Generator 225
`
`Graph Traverser 235
`
`Alert Score Propagator 245
`
`Cluster Formation Engine 255
`
`Alert Cluster Ranker 265
`
`FIG . 2
`
`

`

`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 3 of 17
`
`US 2019/0379700 A1
`
`Database 2
`
`S.
`
`?
`
`1
`
`. :
`
`33 Score = 100
`
`Score = 0
`
`Database 1
`
`IP 92.168.1.1
`
`Score = 0
`
`
`
`Example 1 : Native Scores
`
`Score = 0
`
`A
`
`Host
`
`w
`
`User
`
`7 ***
`
`7
`
`301
`
`IP 1.1.1.1
`
`Different Edge Types
`
`Score = 0
`
`X Score = 100
`
`User 100
`
`Score = 0
`
`IP 1.1.1.100
`
`Score = 0
`
`FIG . 3
`
`1.0
`
`Wgm ( b ) = 0.9
`
`Wgm ( s )
`
`

`

`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 4 of 17
`
`US 2019/0379700 A1
`
`
`
`Propagated Scores from Node IP 1.1.1.1
`
`
`
`
`
`Score = 0
`
`Database 1
`
`Database 2
`
`Score = 0
`
`IP 92.168.1.1
`
`Score = 0
`
`User 100
`
`Score = 0
`
`IP 1.1.1.100
`
`Score = 0
`
`FIG . 4A
`
`Score = 0.105
`
`Host
`
`A
`
`Different Edge Types
`
`User
`
`1
`
`Score = 34.482
`
`
`
`2nd Iteration
`
`15 Iteration
`
`*
`
`2 Score = 100
`
`401
`
`med
`
`IP .1.1.1
`
`Wgm ( s ) = 1.0
`
`Wgm ( b ) = 0.9
`
`

`

`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 5 of 17
`
`US 2019/0379700 A1
`
`Score = 0
`
`Database ??
`
`Database 2
`
`Score = 0
`
`IP 92.168.1.1
`
`Score = 0.036
`
`3 Iteration
`
`
`
`2nd Iteration
`
`Score = 0.105
`
`Iteration
`
`3rd
`
`Score = 0.032
`
`Host
`
`A
`
`User 100
`
`IP 1.1.1.100
`
`Score = 0
`
`FIG . 4B
`
`
`
`Propagated Scores from Node IP 1.1.1.1
`
`
`
`
`
`1
`
`User
`
`Score = 34.482
`
`.
`
`*
`
`3
`
`2X
`
`***
`
`***
`
`***
`
`..
`
`X Score = 100
`
`***
`
`1 Iteration
`
`402
`
`IP 1.1.1.1
`
`Wgm ( s ) = 1.0
`Wgm ( b ) = 0.9
`
`

`

`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 6 of 17
`
`US 2019/0379700 A1
`
`Score = 0.011
`
`Database 1
`
`Iteration
`
`4th
`
`Database 2
`
`
`
`Iteration Score = 0.011
`
`4th
`
`Score = 0.032
`3 Iteration
`
`IP 92.168.1.1
`
`Host
`
`A
`
`User 100
`
`User
`
`1
`
`Score = 34.482
`
`1
`
`**
`
`3 Score = 100
`
`2
`
`1 Iteration
`
`4th
`
`Iteration Score = 0.011
`IP 1.1.1.100
`
`FIG . 4C
`
`Wgm ( s ) = 1.0
`
`= 0.9
`
`-
`
`Wgm ( b )
`
`Score = 0.036
`
`Score = 0.105
`
`3rd Iteration
`
`
`
`2nd Iteration
`
`
`
`Propagated Scores from Node IP 1.1.1.1
`
`
`
`
`
`***
`* ***
`
`.
`
`403
`
`*
`
`IP 1.1.1.1
`
`

`

`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 7 of 17
`
`US 2019/0379700 A1
`
`Score = 4.815
`
`Database
`
`???
`
`
`
`2nd Iteration
`
`
`
`2nd Iteration
`
`Database 2
`
`1
`
`1
`
`*
`
`**
`
`Score = 15.517
`
`IP 92.168.1.1
`
`Score = 100
`
`15 Iteration
`
`User 100
`
`Score = 0
`
`IP 1.1.1.100
`
`Score = 0
`
`FIG . 5A
`
`Host
`
`A
`
`Score = 5.351
`
`Different Edge Types
`
`Score = 0
`
`1
`
`User
`
`
`
`Propagated Scores from Node Database
`
`
`
`
`
`
`
`IP 1.1.1.1
`
`Score = 0
`
`501
`
`Wgm ( s ) = 1.0
`
`Wgm ( b ) = 0.9
`
`

`

`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 8 of 17
`
`US 2019/0379700 A1
`
`Score = 4.815
`
`Database ???
`
`Database 2
`
`**
`.
`*** .
`
`.
`
`...
`
`7
`
`.
`
`Score = 100
`
`IP 92.168.1.1
`
`Score = 15.517
`
`15 Iteration
`
`
`
`3rd Iteration
`
`Score = 1.661
`
`Host A
`
`User 100
`
`IP 1.1.1.100
`
`Score = 0
`
`FIG . 5B
`
`
`
`2nd Iteration
`
`Score = 5.351
`
`
`2nd Iteration
`Propagated Scores from Node Database 2
`
`
`
`
`
`
`
`
`
`
`
`3rd Iteration
`
`Score = 1.661
`
`User
`
`IP 1.1.1.1
`
`Score = 0
`
`502
`
`1.0
`
`Wgm ( b ) = 0.9
`
`Wgm ( s )
`
`

`

`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 9 of 17
`
`US 2019/0379700 A1
`
`Score = 4.815
`
`Database ???
`
`Database 2
`
`**
`.
`*** .
`
`.
`
`...
`
`7
`
`.
`
`Score = 100
`
`IP 92.168.1.1
`
`Score = 15.517
`
`15 Iteration
`
`
`
`3rd Iteration
`
`Score = 1.661
`
`Host A
`
`User 100
`
`IP
`
`Score = 0.572 \ 1.1.1.100
`
`Iteration
`4th
`
`FIG . 5C
`
`User
`
`IP 1.1.1.1
`
`1.0
`
`Wgm ( b ) = 0.9
`
`Wgm ( s )
`
`
`
`2nd Iteration
`
`Score = 5.351
`
`
`
`3rd Iteration
`
`Score = 1.661
`
`Iteration
`
`Score = 0.572
`
`
`2nd Iteration
`Propagated Scores from Node Database 2
`
`
`
`
`
`
`
`
`
`503
`
`

`

`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 10 of 17
`
`US 2019/0379700 A1
`
`Database 1
`
`Score = 4.826
`
`Database 2
`
`Score = 100.011
`
`gm ( s ) = 1.0
`
`Wgm ( b ) = 0.9
`
`IP 92.168.1.1
`
`Score = 15.553
`
`Host
`
`A
`
`User 100
`
`Score = 5.456
`
`Score = 1.693
`
`IP 1.1.1.100
`
`Score = 0.583
`
`FIG . 6
`
`1
`
`User
`
`Score = 36.143
`
`IP
`
`1.1.1.1
`
`Score = 100.572
`
`
`
`0.572
`
`Database 2 ] From From IP 1.1.1.1
`Aggregated Score
`Node
`
`N / A
`
`100.572
`IP 1.1.1.1
`
`1.661
`34.482
`36.143
`
`5.351
`0.105
`
`5.456
`
`User 1
`
`Host A
`
`15.517
`4.815
`0.036 1
`0.011
`
`4.826
`Database 1
`
`15.553
`
`IP 92.168.1.11
`
`N / A
`
`0.011
`100.011
`Database 2
`
`0.032 1.661 0.011
`
`0.572
`
`1.693
`
`
`
`User 100
`
`0.583
`
`IP 1.1.1.100
`
`
`
`Aggregated Scores
`
`601
`
`

`

`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 11 of 17
`
`US 2019/0379700 A1
`
`Database
`
`1
`
`Score = 4.826
`
`Database 2
`
`Score - 100.011
`
`IP 92.168.1.1
`
`Score = 15.553
`
`Host A
`
`User 100
`
`Score = 5.456
`
`Score = 36.143
`
`2
`
`711
`
`User
`
`Cluster 1
`
`IP 1.1.1.100
`
`Score = 1.693
`
`Score = 0.583
`
`FIG . 7
`
`IP 1.1.1.1
`
`Score = 100.572
`
`Cluster 1 Score = 262.561
`
`Wgm ( s ) = 1.0
`
`= 0.9
`
`Wgm ( b )
`
`
`
`Cluster Formation
`
`701
`
`

`

`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 12 of 17
`
`US 2019/0379700 A1
`
`IP 1.1.1.100
`
`***
`
`Score = 100
`
`Score 0
`
`IP 1.1.1.99
`
`User 100
`
`Score = 0
`
`User 99
`
`Score = 0
`
`
`
`Example 2 : Native Scores
`
`Host A
`
`Score = 0
`
`wwwwwwww .
`
`C
`
`Score = 0
`
`1
`
`User
`
`User 2
`
`Score = 0
`
`801
`
`7
`
`1
`
`.
`
`Score = 100
`
`AU
`
`IP 1.1.1.1
`
`FIG . 8
`
`IP 1.1.1.2
`
`Score = 0
`
`Wgm ( s ) = 1.0
`
`= 0.9
`
`-
`
`Wgm ( b )
`
`

`

`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 13 of 17
`
`US 2019/0379700 A1
`
`IP 1.1.1.100
`
`Score = 0.011
`
`User
`
`100
`
`Score = 0.033
`
`User
`
`99
`
`Score = 0.033
`
`IP 1.1.1.99
`
`Score = 0.011
`
`Host A
`
`Score = 0.107
`
`FIG . 9
`
`
`
`Propagated Scores from Node IP 1.1.1.1
`
`
`
`
`
`User
`
`1
`
`Score = 34.48
`
`User
`
`2
`
`Score = 0.033
`
`23
`
`901
`
`23
`
`Score = 100
`
`IP 1.1.1.1
`
`IP 1.1.1.2
`
`Score = 0.011
`
`Wgm ( b ) = 0.9
`gm ( s ) = 1.0
`
`

`

`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 14 of 17
`
`US 2019/0379700 A1
`
`IP 1.1.1.100
`
`3
`
`w
`
`.
`
`Score = 100
`
`.
`
`IP 1.1.1.99
`
`Score = 0.011
`
`User 100
`
`Score = 34.48
`
`User 99
`
`Score = 0.033
`
`
`
`Propagated Scores from Node IP 1.1.1.100
`
`
`
`
`
`Host A
`
`Score = 0.107
`
`FIG . 10
`
`User
`
`Score = 0.033
`
`User 2
`
`Score = 0.033
`
`IP 1.1.1.1
`
`Score = 0.011
`
`1001
`
`IP 1.1.1.2
`
`Score = 0.011
`
`Wgm ( s ) = 1.0
`
`Wgm ( b ) = 0.9
`
`

`

`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 15 of 17
`
`US 2019/0379700 A1
`
`IP 1.1.1.100
`
`Score = 100.011
`
`User 100
`
`Score = 34.513
`
`User 99
`
`Score = 0.066
`
`IP 1.1.1.99
`
`Score = 0.022
`
`
`
`Aggregated Scores
`
`Host A
`
`Score = 0.214
`
`User
`
`Score = 34.513
`
`User 2
`
`Score = 0.066
`
`FIG . 11
`
`IP 1.1.1.1
`
`Score = 100.011
`
`1101
`
`IP 1.1.1.2
`
`Score = 0.022
`
`= 1.0
`
`Wgm ( s )
`
`Wgm ( b ) = 0.9
`
`

`

`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 16 of 17
`
`US 2019/0379700 A1
`
`Cluster 2 Score 134.524
`
`IP 1.1.1.100
`
`
`
`Score 100.011
`
`1217
`
`Cluster 2
`
`IP 1.1.1.99
`
`Score = 0.022
`
`User
`
`100
`
`Score = 34.513
`
`User 99
`
`Score = 0.066
`
`
`
`Cluster Formation
`
`1211
`
`Host A
`
`Score = 0.214
`
`FIG . 12
`
`13 /
`
`Score = 34.513
`
`User 2
`
`Score = 0.066
`
`User
`
`Cluster 1
`
`IP 1.1.1.2
`
`Score = 0.022
`
`IP 1.1.1.1
`
`Score - 100.011
`
`tretien
`
`Cluster 1 Score 134.524
`
`1201
`
`1.0
`
`= 0.9
`
`=
`
`Wgm ( s )
`
`Wgm ( b )
`
`

`

`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 17 of 17
`
`US 2019/0379700 A1
`
`1300
`
`
`
`
`
`Alert Prioritization Engine 158
`
`
`
`
`
`Memory Subsystem 1322
`
`Devices 1338 User Interface Input
`
`
`
`
`Storage Subsystem 1336
`File
`
`ROM 1334
`
`RAM 1332
`
`
`
`
`
`Storage Subsystem 1310
`
`
`
`
`
`Bus Subsystem 1355
`
`GPU , FPGA 1378
`
`Devices 1376 User Interface Output
`
`
`
`
`
`
`Network Interface Subsystem 1374
`
`CPU 1372
`
`FIG . 13
`
`

`

`US 2019/0379700 A1
`
`1
`
`Dec. 12 , 2019
`
`SYSTEMS AND METHODS FOR ALERT
`PRIORITIZATION USING SECURITY
`EVENTS GRAPH
`
`PRIORITY DATA
`This application claims the benefit of U.S. Provi
`[ 0001 ]
`sional Patent Application No. 62 / 683,795 , entitled “ ALERT
`PRIORITIZATION USING GRAPH ALGORITHMS ” ,
`filed on Jun . 12 , 2018 ( Atty . Docket No. NSKO 1022-1 ) . The
`provisional application is incorporated by reference as if
`fully set forth herein .
`INCORPORATIONS
`[ 0002 ] The following materials are incorporated by refer
`ence as if fully set forth herein :
`[ 0003 ] U.S. Provisional Patent Application No. 62/683 ,
`789 , entitled “ SYSTEM TO SHOW DETAILED STRUC
`TURE IN A MODERATELY SIZED GRAPH ” , filed on Jun .
`12 , 2018 ( Atty . Docket No. NSKO 1024-1 ) .
`[ 0004 ] Contemporaneously filed U.S. patent application
`entitled “ SYSTEMS AND METHODS TO
`Ser . No.
`SHOW DETAILED STRUCTURE IN
`A SECURITY
`2019 ( Atty . Docket
`EVENTS GRAPH ” , filed on
`No. NSKO 1024-2 ) .
`FIELD OF THE TECHNOLOGY DISCLOSED
`[ 0005 ] The technology disclosed relates to graph presen
`tation for prioritization of security incidents .
`BACKGROUND
`[ 0006 ] The subject matter discussed in this section should
`not be assumed to be prior art merely as a result of its
`mention in this section . Similarly , a problem mentioned in
`this section or associated with the subject matter provided as
`background should not be assumed to have been previously
`recognized in the prior art . The subject matter in this section
`merely represents different approaches , which in and of
`themselves can also correspond to implementations of the
`claimed technology .
`[ 0007 ] Security analysts use log data generated by security
`and operations systems to identify and protect enterprise
`networks against cybersecurity threats . Gigabytes of log
`security and operations log data can be generated in a short
`time . These logs contain security events with varying levels
`of threat . Firstly , it is difficult for an analyst to go through
`these logs and identify the alerts that need immediate
`attention . Secondly , it is difficult to identify different com
`puter network entities related to a particular alert . Graphs
`can be used to visualize computer network entities which are
`connected to other entities through edges . However for a
`typical enterprise network , graphs can become very large
`with hundreds of thousands of entities connected through
`tens of millions edges . Security analysts are overwhelmed
`by such graphs of security events and they can miss most
`important alerts and entities related to those alerts . Some of
`these alerts are false positives . In most cases , a well - planned
`cyberattack impacts more than one entity in the enterprise
`network . It is difficult for security analysts to review the
`graph and identify groups of entities impacted by one or
`more alerts in the logs .
`[ 0008 ] Therefore , an opportunity arises to automatically
`identify groups of entities in an enterprise network that are
`
`impacted by one or more alerts in the logs of data generated
`by security systems in a computer network .
`BRIEF DESCRIPTION OF THE DRAWINGS
`[ 0009 ]
`In the drawings , like reference characters generally
`refer to like parts throughout the different views . Also , the
`drawings are not necessarily to scale , with an emphasis
`instead generally being placed upon illustrating the prin
`ciples of the technology disclosed . In the following descrip
`tion , various implementations of the technology disclosed
`are described with reference to the following drawings , in
`which :
`[ 0010 ] FIG . 1 illustrates an architectural level schematic
`of a system in which an alert prioritization engine is used to
`automatically group security alerts and present prioritized
`alerts to a security analyst .
`[ 0011 ]
`FIG . 2 is a block diagram example of components
`of the alert prioritization engine of FIG . 1 .
`[ 0012 ] FIG . 3 illustrates native scores assigned to nodes in
`a first example graph of an enterprise network .
`[ 0013 ] FIGS . 4A , 4B , and 4C illustrate propagated scores
`from a first starting node in the first example graph presented
`in FIG . 3 .
`[ 0014 ] FIGS . 5A , 5B , and 5C illustrate propagated scores
`from a second starting node in the first example graph
`presented in FIG . 3 .
`[ 0015 ] FIG . 6 presents aggregate scores for nodes in the
`first example graph presented in FIG . 3 .
`[ 0016 ] FIG . 7 presents cluster formation of connected
`nodes in the first example graph presented in FIG . 3 .
`[ 0017 ] FIG . 8 illustrates native scores assigned to nodes in
`a second example graph of an enterprise network .
`[ 0018 ] FIG . 9 presents propagated scores from
`a first
`starting node in the second example graph presented in FIG .
`8 .
`[ 0019 ] FIG . 10 presents propagated scores from a second
`starting node in the second example graph presented in FIG .
`8 .
`[ 0020 ]
`FIG . 11 presents aggregate scores for nodes in the
`second example graph presented in FIG . 8 .
`[ 0021 ] FIG . 12 presents cluster formation of connected
`nodes in the second example graph presented in FIG . 8 .
`[ 0022 ] FIG . 13 is a simplified block diagram of a computer
`system that can be used to implement the technology dis
`closed .
`
`DETAILED DESCRIPTION
`[ 0023 ] The following discussion is presented to enable any
`person skilled in the art to make and use the technology
`disclosed , and is provided in the context of a particular
`application and its requirements . Various modifications to
`the disclosed implementations will be readily apparent to
`those skilled in the art , and the general principles defined
`herein may be applied to other implementations and appli
`cations without departing from the spirit and scope of the
`technology disclosed . Thus , the technology disclosed is not
`intended to be limited to the implementations shown , but is
`to be accorded the widest scope consistent with the prin
`ciples and features disclosed herein .
`INTRODUCTION
`[ 0024 ] Protecting enterprise networks against cybersecu
`rity attacks is a priority of every organization . Gigabytes of
`
`

`

`US 2019/0379700 A1
`
`2
`
`Dec. 12 , 2019
`
`security log data can be generated by packet filters , firewalls ,
`anti - malware software , intrusion detection and prevention
`systems , vulnerability management software , authentication
`servers , network quarantine servers , application servers ,
`database servers and other devices , even in a single 24 hour
`period . The logs generated by these systems contain alerts
`for different entities of the computer network . Some security
`systems assign scores to such alerts . However , not all alerts
`are equal and some alerts are false positives . Security
`analysts determine from voluminous logs alerts that present
`a threat that require immediate attention . Groups of security
`alerts , spanning different entities in the enterprise network ,
`can be more telling than individual alerts , but grouping is
`challenging and time consuming .
`[ 0025 ] Graphs of enterprise networks can help security
`analysts visualize entities in the computer network and their
`alert status . The technology disclosed builds on a graph of
`enterprise network , with nodes representing entities in the
`network . The technology disclosed assigns alert scores gen
`erated by security systems to nodes or edges connecting the
`nodes . We refer to these assigned alert scores as “ native "
`scores , to distinguish them
`from scores resulting from
`propagation through the graph . Different types of edges
`represent different types of relationships between the nodes .
`Consistent with edge types , we assign weights to edges
`representing the strength of the relationship between the
`connected nodes . Simply rendering an annotated graph
`would create a visualization of logs , but would be too
`cluttered to facilitate prioritization of threats to the enter
`prise network , so we do more .
`[ 0026 ] The technology disclosed reduces the burden on
`security analysts by automatically finding groups of security
`alerts and presenting prioritized groups to the security
`analyst . This includes applying rules to propagate the native
`scores through the graph , leading to node clusters based on
`an aggregation of native and propagated alert scores .
`[ 0027 ] Graph traversal determines the propagated impact
`of a native alert score on connected , neighboring nodes . The
`technique can involve an extra step if alert scores are
`assigned to edges , a step of imputing the assigned alert
`scores to one node or both connected nodes , in cases of a
`directed edge or of an undirected or bi - directed edge ,
`respectively . Alternatively , scores on edges can be propa
`gated in the same way that we describe propagating scores
`on nodes . For each starting node with a native alert score , we
`traverse the graph following edges from the starting node to
`propagate the starting node's native alert score to neighbor
`ing nodes . Native scores of other nodes encountered during
`the propagation are ignored , are handled when those other
`nodes become starting nodes . Traversal can be terminated
`after a predetermined number of edges / nodes , such as five ,
`or when propagation attenuates the score below a predeter
`mined threshold . Weights on edges attenuate propagation .
`We normalize the propagated score at each visited node
`using the number of edges of the same type connected to the
`visited node , which also attenuates propagation . For
`instance , a node representing a server may be connected to
`a hundred client nodes and so receives only a small contri
`bution propagated from each client node . Over multiple
`propagations from starting nodes , we sum the propagated
`scores at visited nodes to accumulate aggregate scores . The
`sum of propagated scores can be further normalized based
`
`on a sum of weights of relationship strengths on edges
`connected to the visited node . Scoring supports clustering
`for prioritized display .
`[ 0028 ] The technology disclosed clusters connected nodes
`based on uninterrupted chains of summed propagated
`scores . Connected nodes are clustered when they have
`aggregate scores above a selected threshold . Clusters are
`separated by at least one node that has an aggregated score
`below the selected threshold , effectively breaking the chain .
`The threshold can be a predetermined score , a ratio of scores
`between connected nodes , or a combination of both . For
`instance , a pair of connected nodes can be separated into
`different clusters when one node has a score 10x the other
`node . We calculate cluster scores by summing aggregate
`scores of nodes in the cluster and , in some instances ,
`normalizing the sum . We rank and prioritize clusters for
`display and potential analysis using the cluster scores .
`System Overview
`[ 0029 ] We describe a system to group security alerts
`generated in a computer network and prioritize grouped
`security alerts for analysis . The system is described with
`reference to FIG . 1 showing an architectural level schematic
`of a system in accordance with an implementation . Because
`FIG . 1 is an architectural diagram , certain details are inten
`tionally omitted to improve the clarity of the description .
`The discussion of FIG . 1 is organized as follows . First , the
`elements of the figure are described , followed by their
`interconnection . Then , the use of the elements in the system
`is described in greater detail .
`[ 0030 ]
`FIG . 1 includes system 100. This paragraph names
`the labelled parts of system 100. The figure illustrates user
`endpoints 121 , servers 161a - m , a network ( s ) 155 , an Inter
`net - based hosting service 136 , a web service 137 , a cloud
`based storage service 139 , an alert prioritization engine 158 ,
`and a security log database 175. Internet - based hosting
`service 136 , the web service 137 , and the cloud - based
`storage service 139 are collectively referred to as Internet
`based services 117. User endpoints 121 and servers 161a - m
`are part of
`enterprise network 111 .
`[ 0031 ] Servers 161a - m and user endpoints 121 such as
`computers 131a - n , tablets 141a - n , and cell phones 151a - n
`access and interact with the Internet - based services 117. In
`one implementation , this access and interaction is modulated
`by an inline proxy ( not shown in FIG . 1 ) that is interposed
`between the user endpoints 121 and the Internet - based
`services 117. The inline proxy monitors network traffic
`between user endpoints 121 and the Internet - based services
`117 and can include detection of malicious activity to protect
`enterprise network and data . The inline proxy can be an
`Internet - based proxy or a proxy appliance located on prem
`ise . The log data collected by the inline proxy can be stored
`in the security log database 175 .
`[ 0032 ] In a so - called managed device implementation ,
`user endpoints 121 are configured with routing agents ( not
`shown ) which ensure that requests for the Internet - based
`services 117 originating from the user endpoints 121 and
`response to the requests are routed through the inline proxy
`for policy enforcement . Once the user endpoints 121 are
`configured with the routing agents , they are under the ambit
`or purview of the inline proxy , regardless of their location
`( on premise or off premise ) .
`[ 0033 ]
`In a so - called unmanaged device implementation ,
`certain user endpoints that are not configured with the
`
`

`

`US 2019/0379700 A1
`
`3
`
`Dec. 12 , 2019
`
`routing agents can still be under the purview of the inline
`proxy when they are operating in an on premise network
`monitored by the inline proxy . Both managed and unman
`aged devices can be configured with security software to
`detect malicious activity and store logs of security events in
`the security log database 175 .
`[ 0034 ] The enterprise users access Internet - based services
`117 to perform a wide variety of operations such as search
`for information on webpages hosted by the Internet - based
`hosting service 136 , send and receive emails , upload docu
`ments to a cloud - based storage service 139 and download
`documents from the cloud - based storage service 139. The
`log database accumulates logs of events related to users and
`the enterprise from multiple sources . Two sources of such
`log data include security systems and operations systems .
`Security systems include packet filters , firewalls , anti - mal
`ware software , intrusion detection and prevention systems ,
`vulnerability management software , authentication servers ,
`network quarantine servers . Operations systems include
`servers , workstations , caches and load balancers and net
`working devices ( e.g. , routers and switches ) . These systems
`can report hundreds , thousands or millions of events in an
`enterprise network in one day . Some security systems apply
`scores ( such as on a scale of 1 to 100 ) indicating the risk
`associated with an individual event . An alert with a score of
`100 likely poses a higher threat to the organization's net
`work as compared to an alert with a score of 10. Not all alerts
`reported in the logs present the same level of threat and some
`alerts are false positives . Security analysts can review these
`logs to identify and analyze high priority alerts that present
`threats to the enterprise network 111 by well - equipped
`adversaries , but doing so is tedious .
`[ 0035 ] High priority situations are often presented as a
`group of interrelated security alerts generated for different
`entities in the computer network . It is challenging and time
`consuming to identify these groups of alerts using logs of
`security data . The technology disclosed reduces burden on
`security analyst by automatically finding groups of security
`alerts and presenting prioritized groups to the security
`analyst . This grouping of security alerts and prioritizing of
`grouped alerts enables security analyst to focus on nodes
`that are of interest for high risk security events . Consider a
`first example of a log entry in the security log database 175
`reporting a security event indicating a failed authentication
`from a user endpoint 121. Now consider a second example
`of a log entry in the security log database 175 which is also
`an authentication failure but represents a high risk to the
`organization . In the second example , an attacker has gained
`access to a user endpoint 121 in the enterprise network 111 .
`The attacker steals confidential information from the com
`promised user endpoint . Such information can include a list
`of servers 161a - m in the enterprise network . The attacker
`then attempts to authenticate to the servers . This can result
`in a spike in the number of failed authentications from the
`compromised user endpoint . The attacker can also move
`laterally to other user endpoints in the enterprise network .
`The second example presents a situation which requires
`accelerated investigation by a security analyst .
`[ 0036 ]
`A serious cyberattack on an enterprise network will
`likely raise interrelated alerts from multiple , disjoint security
`systems . Alerts from some of the monitored entities present
`higher risks than alerts from other entities . For example , a
`malware execution on a user endpoint 121 may not have the
`same priority level as compared to a malware execution on
`
`a system used as a jump box to access other user endpoints
`in the network . The security analyst can be well advised to
`analyze the jump box alert before the endpoint alert , as the
`jump box immediately impacts many entities in the network .
`When the analyst reviews a log that doesn't highlight the
`roles of the jump box and endpoint , it is difficult to prioritize
`the alerts .
`[ 0037 ] Graphs of enterprise networks can help security
`analysts visualize entities in the computer network and their
`alert status . The technology disclosed builds on a graph of
`enterprise network , with nodes representing entities in the
`network . Examples of entities include user endpoints 121 ,
`servers 161 a - m , file names , usernames , hostnames , IP
`addresses , mac addresses , email addresses , physical loca
`tions , instance identifiers , and autonomous system numbers
`( ASNs ) etc. These example entities typically exist across a
`longer time scale in an enterprise network , however entities
`that are short - lived can also be included in the graph if they
`are important for presenting the correlations , for example ,
`certain emails and transaction identifiers , etc. The technol
`ogy disclosed builds on a graph of enterprise network with
`nodes , representing entities , connected with each other by
`edges representing different connection types . The technol
`ogy disclosed assigns alert scores generated by security
`systems to respective nodes or edges connecting the nodes .
`[ 0038 ] The nodes in graphs of enterprise computer net
`work are connected to each other with different types of
`edges representing different types of relationships between
`the nodes . Examples of connection types can include an
`association connection type , a communication connection
`type , a failure connection type , a location connection type ,
`and an action or operation connection type . The first asso
`ciation connection type indicates that two entities are asso
`ciated , for example , a host is assigned an IP address stati
`cally or via dynamic host configuration protocol ( DHCP ) .
`The second communication connection type indicates that
`network communication is observed between two connected
`entities in the enterprise network . The third failure connec
`tion type indicates that an action was attempted but failed ,
`for example a failed authentication attempt . The fourth
`location connection type indicates geographical relation
`ships between connected entities , for example , an IP address
`is associated with a geographic region . The fifth action or
`operation connection type indicates an action or an operation
`was performed by one of the connected entities . Entities can
`perform actions , for example , a user can perform an authen
`tication action on a host or a host can execute a process .
`Additional connection types can be present between entities
`in the enterprise computer network .
`[ 0039 ] The technology disclosed assigns weights to edges
`representing the strength of the relationship between the
`connected nodes . Alerts can also be represented as edges
`between nodes representing entities in the network . Alert
`edges can be in addition to other types of edges connecting
`nodes . The weights reflect the connections types represented
`by the edges . For example , an association connection
`between a user and an IP address is stronger than an
`authentication action connection between a user and a host ,
`because the IP address is associated with the user for longer
`than the authenticated session of the user on the host . Under
`these circumstances , the weight assigned to an edge repre
`senting an association connection type would be more than
`the weight assigned to an edge representing an authentica
`tion action connection type .
`
`

`

`US 2019/0379700 A1
`
`4
`
`Dec. 12 , 2019
`
`[ 0040 ] We refer to these assigned alert scores as “ native ”
`scores to distinguish them from scores resulting from propa
`gation through the graph . Graph traversal determines impact
`of native alert scores of nodes on connected , neighboring
`nodes . If alert scores are assigned to edges , the technology
`disclosed imputes the score to one or both connected nodes ,
`in case of directed or undirected or bi - directed edge , respec
`tively . In another implementation , the technology disclosed
`propagates alert scores on edges in the same way as propa
`gation of scores assigned to nodes is described .
`[ 0041 ] The technology disclosed propagates native scores
`from starting nodes with non - zero native scores . For each
`starting node , we traverse the graph to propagate starting
`node's native score to co