III uuuu a NI
`
`IND
`
`US 20190379700A1
`
`IN
`
`( 19 ) United States
`(19) United States
`( 12 ) Patent Application Publication ( 10 ) Pub . No .: US 2019/0379700 A1
`(12) Patent Application Publication (10) Pub. No.: US 2019/0379700 Al
`( 43 ) Pub . Date :
`Dec. 12 , 2019
`Canzanese , JR . et al .
`Dec. 12, 2019
`Canzanese, JR. et al.
`(43) Pub. Date:
`
`( 54 ) SYSTEMS AND METHODS FOR ALERT
`(54) SYSTEMS AND METHODS FOR ALERT
`PRIORITIZATION USING SECURITY
`PRIORITIZATION USING SECURITY
`EVENTS GRAPH
`EVENTS GRAPH
`( 71 ) Applicant : Netskope , Inc. , Santa Clara , CA ( US )
`(71) Applicant: Netskope, Inc., Santa Clara, CA (US)
`( 72 ) Inventors : Raymond Joseph Canzanese , JR . ,
`(72)
`Inventors: Raymond Joseph Canzanese, JR.,
`Philadelphia , PA ( US ) ; Joshua David
`Philadelphia, PA (US); Joshua David
`Batson , Sunnyvale , CA ( US )
`Batson, Sunnyvale, CA (US)
`( 73 ) Assignee : Netskope , Inc. , Santa Clara , CA ( US )
`(73) Assignee: Netskope, Inc., Santa Clara, CA (US)
`( 21 ) Appl . No .: 16 / 361,023
`(21) Appl. No.: 16/361,023
`( 22 ) Filed :
`Mar. 21 , 2019
`(22) Filed:
`Mar. 21, 2019
`Related U.S. Application Data
`Related U.S. Application Data
`( 60 ) Provisional application No. 62 / 683,795 , filed on Jun .
`(60) Provisional application No. 62/683,795, filed on Jun.
`12 , 2018 .
`12, 2018.
`Publication Classification
`Publication Classification
`
`( 51 ) Int . Ci .
`Int. Cl.
`(51)
`H04L 29/06
`H04L 29/06
`G06F 16/901
`G06F 16/901
`G06F 16/906
`G06F 16/906
`
`( 2006.01 )
`(2006.01)
`( 2006.01 )
`(2006.01)
`( 2006.01 )
`(2006.01)
`
`( 52 ) U.S. CI .
`(52) U.S. Cl.
`CPC
`CPC
`
`H04L 63/20 ( 2013.01 ) ; G06F 16/906
` H04L 63/20 (2013.01); G06F 16/906
`( 2019.01 ) ; G06F 16/9024 ( 2019.01 )
`(2019.01); G06F 16/9024 (2019.01)
`
`( 57 )
`(57)
`
`ABSTRACT
`ABSTRACT
`
`The technology disclosed includes a system to group secu
`The technology disclosed includes a system to group secu-
`rity alerts generated in a computer network and prioritize
`rity alerts generated in a computer network and prioritize
`grouped security alerts for analysis . The system includes
`grouped security alerts for analysis. The system includes
`graphing entities in the computer network as entities con
`graphing entities in the computer network as entities con-
`nected by one or more edges . Native scores for pending
`nected by one or more edges. Native scores for pending
`alerts are assigned to nodes or to edges between the nodes .
`alerts are assigned to nodes or to edges between the nodes.
`A connection type is assigned to each edge and weights are
`A connection type is assigned to each edge and weights are
`assigned to edges representing relationship strength between
`assigned to edges representing relationship strength between
`the nodes . The technology disclosed includes traversing the
`the nodes. The technology disclosed includes traversing the
`graph starting at starting nodes and propagating native
`graph starting at starting nodes and propagating native
`scores through and to neighboring nodes connected by the
`scores through and to neighboring nodes connected by the
`edges . Aggregate score for a visited node is calculated by
`edges. Aggregate score for a visited node is calculated by
`accumulating propagated scores at visited nodes with their
`accumulating propagated scores at visited nodes with their
`respective native scores . The technology disclosed forms
`respective native scores. The technology disclosed forms
`clusters of connected nodes in the graph that have a respec
`clusters of connected nodes in the graph that have a respec-
`tive aggregate score above a selected threshold . The clusters
`tive aggregate score above a selected threshold. The clusters
`are ranking and prioritized for analysis .
`are ranking and prioritized for analysis.
`
`r
`
`-
`
`I
`
`_
`
`Enterprise Network 111
`Enterprise Network 111
`User Endpoints 121
`User Endpoints 121
`Computers 131a - n
`Computers 3 la-n
`
`Tablets 141a - n
`Tablets 141a-n
`
`Cell Phones 151a - n
`Cell Phones 151a-n
`
`Servers 161a - m
`Servers 161a-m
`
`1
`
`1
`L
`
`100
`100
`1
`
`...
`I
`
`Internet - Based Services 117
`Internet-Based Services 117
`
`Internet-Based
`Internet - Based
`Hosting Service
`Hosting Service
`136
`136
`
`Web Service
`Web Service
`137
`137
`
`Cloud - Based
`Cloud-Based
`Storage Service
`Storage Service
`139
`139
`
`Network ( s )
`Network(s)
`155
`155
`
`Security Log Data
`Security Log Data
`175
`175
`
`Alert Prioritization Engine
`Alert Prioritization Engine
`158
`151
`
`WIZ, Inc. EXHIBIT - 1045
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1045
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 1 of 17
`LI Jo I loollS 610Z `ZI 'aaa
`
`US 2019/0379700 A1
`IV 00L6L£0/6I0Z SR
`
`100
`
`100
`
`1
`
`.
`
`Cloud-Based
`Storage Service
`139
`
`
`Cloud - Based Storage
`Service 139
`
`----•
`
`Internet-Based Services 117
`
`Internet - Based
`Services 11
`
`Web Service
`137
`
`Web
`Service 137
`
`Internet-Based
`Hosting Service
`136
`
`Internet - Based Hosting
`Service 136
`
`1
`
`Enterprise
`Network
`111 User
`Endpoints 121
`
`User Endpoints 121
`
`Enterprise Network 111
`
`-
`
`Alert
`Prioritization
`Engine 158
`
`Alert Prioritization Engine
`158
`
`Computers 131a-n
`
`Computers
`131a - n Tablets
`141a - n
`
`Tablets 141a-n
`
`Network ( s )
`155
`
`Network(s)
`155
`
`Security
`Log
`Data 175
`
`Security Log Data
`175
`
`FIG. 1
`
`FIG . 1
`
`Cell Phones 151a-n
`
`Cell
`151a - n
`Phones
`
`Servers 161a-m
`
`Servers
`161a - m
`
`

`

`Patent Application Publication
`Dec. 12 , 2019 Sheet 2 of 17
`Patent Application Publication Dec. 12, 2019 Sheet 2 of 17
`
`US 2019/0379700 A1
`US 2019/0379700 Al
`
`200
`200
`
`Alert Prioritization Engine 158
`Alert Prioritization Engine 158
`
`Graph Generator 225
`Graph Generator 225
`
`Graph Traverser 235
`Graph Traverser 235
`
`Alert Score Propagator 245
`Alert Score Propagator 245
`
`Cluster Formation Engine 255
`Cluster Formation Engine 255
`
`Alert Cluster Ranker 265
`Alert Cluster Ranker 265
`
`FIG . 2
`FIG. 2
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 3 of 17
`LI JO £ loollS 610Z `ZI 'aaa
`
`US 2019/0379700 A1
`IV 00L6L£0/6I0Z SR
`
`Database
`1
`
`Database 1
`
`Score =
`
`Score = 0
`
`Database
`2
`
`Database 2
`
`S.
`
`1
`
`?
`
`. :
`
`33 Score = 100
`
`Score = 100
`
`Example 1 : Native
`Scores
`
`Example 1: Native Scores
`
`Score
`
`Score = 0
`
`301
`
`301
`
`IP 1.1.1.1
`
`IP
`92.168.1.1
`
`IP 92.168.1.1
`
`•\
`
`Score = 0
`
`Score = 0
`
`Host
`A
`
`Host
`
`A
`
`w
`
`Different
`Edge
`Types
`
`Different Edge Types
`
`User
`100
`
`User 100
`
`•
`
`Score =
`
`Score = 0
`
`IP 1.1.1.100
`
`Score
`
`Score = 0
`
`FIG. 3
`
`FIG . 3
`
`User
`1
`
`User
`
`•
`
`Score = 0
`•
`
`Score = 0
`
`7 ***
`
`7
`
`X Score = 100
`
`Score = 100
`
`Wgm(s) = 1.0
`
`1.0
`
`Wgm ( s )
`
`Wgm ( b ) = 0.9
`
`wgm(b) = 0 9
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 4 of 17
`LI JO 17 loollS 610Z `ZI 'aaa
`
`US 2019/0379700 A1
`IV 00L6L£0/6I0Z SR
`
`.."
`Database
`1
`
`Database 1
`
`Score =
`
`Score = 0
`
`Database 2
`
`Database
`
`\"I
`
`Score = 0
`
`Score = 0
`
`Propagated
`Scores
`from
`Node IP 1.1.1.1
`
`Propagated Scores from Node IP 1.1.1.1
`
`2nd
`Iteration
`
`2nd Iteration
`
`401
`
`401
`
`f
`Score = 0.105
`
`Score = 0.105
`
`( '
`
`"-----
`
`med
`
`IP
`1.1.
`
`IP .1.1.1
`
`IP
`92.168.1.1
`
`IP 92.168.1.1
`
`Score =
`
`Score = 0
`
`Host
`A
`
`Host
`
`A
`
`User
`1
`
`User
`
`1
`
`Different Edge Types
`
`Different
`Edge
`Types
`
`Score = 34.482
`
`Score = 34.482
`
`*
`
`2 Score = 100
`
`Score = 100
`
`User
`100)
`
`User 100
`
`•
`
`IS` Iteration
`
`15 Iteration
`
`Score =
`
`Score = 0
`
`IP 1.1.1.100
`
`Score
`
`Score = 0
`
`FIG. 4A
`
`FIG . 4A
`
`Wgm ( s ) = 1.0
`
`Wgm(s) = 1.0
`
` = 0.9
`
`Wgm ( b ) = 0.9
`
`wgm(b)
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 5 of 17
`LI Jo S loollS 610Z `ZI 'aoa
`
`US 2019/0379700 A1
`IV 00L6L£0/6I0Z SR
`
`Database
`1
`ti
`
`Database ??
`
`Score =
`
`Score = 0
`
`Database 2
`
`\ Database
`2
`
`Score = 0
`
`Score = 0
`
`IP
`92.168.1.1
`
`IP 92.168.1.1
`
`•
`
`3rd
`
`Iteration
`
`3rd Iteration
`Score = 0.032
`
`Score = 0.032
`
`Host
`A
`
`Host
`
`A
`
`User
`100
`
`User 100
`
`IP
`1.1.1.100
`
`IP 1.1.1.100
`
`Score =
`
`Score = 0
`
`FIG. 4B
`
`FIG . 4B
`
`Propagated Scores from Node IP 1.1.1.1
`
`Propagated
`Scores
`from
`Node IP 1.1.1.1
`
`402
`
`402
`
`3rd Iteration
`
`3 Iteration
`
`2nd
`Iteration
`
`2nd Iteration
`
`Score = 0.036
`
`Score = 0.036
`
`Score = 0.105
`
`Score = 0.105
`
`***
`
`IP 1.1.1.1
`
`..
`
`X Score = 100
`
`Score = 100
`
`User
`1
`
`User
`
`1
`
`.
`
`*
`
`***
`
`***
`
`***
`
`3
`
`2X
`
`Score = 34.482
`
`Score = 34.482
`
`•
`• •
`
`1st Iteration
`
`1 Iteration
`
`Wgm ( s ) = 1.0
`
`W
`gm(s)
`
`= 1.0
`
`Wgm ( b ) = 0.9
`
`(b) = 0 9
`
`W
`gm
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 6 of 17
`LI JO 9 loollS 610Z `ZI 'aaa
`
`US 2019/0379700 A1
`IV 00L6L£0/6I0Z SR
`
`Score = 0.011
`
`Score = 0.011
`
`Database
`1
`
`Database 1
`
`4th Iteration
`
`Iteration
`
`4th
`
`Propagated
`Scores
`from
`Node IP 1.1.1.1
`
`Propagated Scores from Node IP 1.1.1.1
`
`403
`
`403
`
`3rd Iteration
`
`3rd Iteration
`
`2nd Iteration
`
`2nd
`Iteration
`
`Score = 0.036
`
`Score = 0.036
`
`Score = 0.10
`
`Score = 0.105
`
`IP
`92.168.1.1
`
`IP 92.168.1.1
`
`Host
`A
`
`Host
`
`A
`
`User
`1
`
`User
`
`1
`
`1
`
`**
`
`*
`
`IP
`
`IP 1.1.1.1
`
`***
`* ***
`
`.
`
`Database
`2
`
`Database 2
`
`•
`
`•
`
`•
`
`4th Iteration Score = 0.011
`
`4th
`
`Iteration
`Score = 0.011
`
`3rd Iteration
`...\ Score = 0.032
`
`3 Iteration
`
`Score = 0.032
`
`User
`100...)
`
`User 100
`
`Iteration Score = 0.011
`IP 1.1.1.100
`
`4- Iteration
`Score = 0.011
`
`4th
`
`1.1.1.100 11
`
`FIG. 4C
`
`FIG . 4C
`
`2
`
`3 Score = 100
`
`Score = 100
`
`1st Iteration
`
`1 Iteration
`
`Wgm ( s ) = 1.0
`
`Wgm(s) = 1.0
`
` = 0.9
`
`-
`
`= 0.9
`
`Wgm ( b )
`
`Wgm(b)
`
`Score = 34.482
`
`Score = 34.482
`
`•
`• •
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 7 of 17
`LI Jo L loollS 610Z `ZI •aoa
`
`US 2019/0379700 A1
`IV 00L6L£0/6I0Z SR
`
`Score = 4.815
`
`Score = 4.815
`
`Database
`1
`
`Database
`
`???
`
`Propagated
`Scores
`from
`Node
`Database
`
`Propagated Scores from Node Database 2
`
`2nd
`Iteration
`
`2nd Iteration
`
`21'd Iteration
`
`2nd
`Iteration
`
`Score = 5.351c —
`
`Score = 5.351
`
`IP
`92.168.1.1
`
`IP 92.168.1.1
`
`1
`
`*
`
`**
`
`Score = 15.517 •
`
`Score = 15.517
`
`Host
`A
`
`Host
`
`A
`
`User
`1
`
`User
`
`1
`
`Different
`Edge
`Types
`
`Different Edge Types
`
`User
`100
`
`User 100
`
`•
`
`•
`
`Score = 0
`
`Score = 0
`•
`
`Database
`2
`
`Database 2
`
`** 4
`
`1
`
`Score = 100
`
`Score = 100
`
`1st Iteration
`
`15 Iteration
`
`Score =
`
`Score = 0
`
`IP 1.1.1.100
`
`Score
`
`Score = 0
`
`FIG. 5A
`
`FIG . 5A
`
`501
`
`501
`
`-\
`
`IP 1.1.1.1
`
`Score =0 0
`
`Score = 0
`
`Wgm ( s ) = 1.0
`
`Wgm(s) = 1.0
`
`w
`gm(b)
`
`= 0 9
`
`Wgm ( b ) = 0.9
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 8 of 17
`LI Jo 8 loollS 610Z `ZI 'aaa
`
`US 2019/0379700 A1
`IV 00L6L£0/6I0Z SR
`
`Score = 4.815
`
`Score = 4.815
`
`Database
`
`Database ???
`
`2nd
`Iteration
`Propagated
`Scores
`from
`Node
`Database 2
`
`2nd Iteration
`
`Propagated Scores from Node Database 2
`
`2nd
`Iteration
`
`2nd Iteration
`
`3rd
`Iteration
`
`3rd Iteration
`
`•
`
`Score = 5.351
`
`Score = 5.351
`
`Score = 1.661
`
`Score = 1.661
`
`Database
`2
`
`Database 2
`
`**
`*** .
`
`.
`
`.
`
`...
`
`7
`
`.
`
`Score = 100
`
`Score = 100
`
`IP
`92.168.1.1
`
`IP 92.168.1.1
`
`Score = 15.517 • •
`
`Score = 15.517
`
`Host
`
`Host A
`
`User
`1
`
`User
`
`\
`User
`100 11,
`3' Iteration
`
`User 100
`
`3rd
`Iteration
`
`1st Iteration
`
`15 Iteration
`
`Score = 1.661
`
`Score = 1.661
`
`IP 1.1.1.100
`
`Score
`
`Score = 0
`
`FIG. 5B
`
`FIG . 5B
`
`•
`
`• •
`
`502
`
`502
`
`IP
`
`IP 1.1.1.1
`
`Score = 0
`
`Score = 0
`
`wgm(s) = 1.0
`
`1.0
`
`Wgm ( s )
`
`wgm(b) = 0 9
`
`Wgm ( b ) = 0.9
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 9 of 17
`LI JO 6 loollS 610Z `ZI 'aaa
`
`US 2019/0379700 A1
`IV 00L6L£0/6I0Z SR
`
`Score = 4.815
`
`Score = 4.815
`
`Database
`
`Database ???
`
`2nd
`Iteration
`Propagated
`Scores
`from
`Node
`Database 2
`
`2nd Iteration
`
`Propagated Scores from Node Database 2
`
`2nd
`Iteration
`
`2nd Iteration
`
`3rd
`Iteration
`
`3td Iteration
`
`4th Iteration
`
`Iteration
`
`•
`
`Score = 5.351
`
`Score = 5.351
`
`Score = 1.661
`
`Score = 1.661
`
`Score = 0.572
`
`Score = 0.572
`
`503
`
`503
`
`Host
`
`Host A
`
`User
`1
`
`User
`
`IP
`
`IP 1.1.1.1
`
`IP
`92.168.1.1
`
`IP 92.168.1.1
`
`Score = 15.517 • •
`
`Score = 15.517
`
`Database
`2
`
`Database 2
`
`**
`*** .
`
`.
`
`.
`
`...
`
`7
`
`.
`
`Score = 100
`
`Score = 100
`
`\
`User
`100 11,
`3' Iteration
`
`User 100
`
`3rd
`Iteration
`
`1st Iteration
`
`15 Iteration
`
`Score = 1.661
`
`Score = 1.661
`
`• • O
`
`Iteration
`
`4th
`
`•
`
`IP
`1.1.1.100
`
`IP
`
`Score = 0.572 \ 1.1.1.100
`
`Score = 0.572
`
`FIG. 5C
`
`FIG . 5C
`
`Wgm(s) = 1.0
`
`1.0
`
`Wgm ( s )
`
`wgm(b) = 0 9
`
`Wgm ( b ) = 0.9
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 10 of 17
`LI JO 0I loollS 610Z `ZI 'aaa
`
`US 2019/0379700 A1
`IV 00L6L£0/6I0Z SR
`
`Database 1
`
`Database
`1
`
`Score = 4.826
`
`Score = 4.826
`
`Database 2
`
`Database
`2
`
`Score = 100.011
`
`Score = 100.011
`
`IP
`92.168.1.
`
`IP 92.168.1.1
`
`Score = 15.553 •
`
`Score = 15.553
`
`gm ( s ) = 1.0
`
`(s) = 1 0
`
`gm
`W
`
`(b) = 0.9
`w
`gm
`
`Wgm ( b ) = 0.9
`
`User
`100
`
`User 100
`
`Score = 1.693
`
`Score = 1.693
`
`IP 1.1.1.100
`
`Score = 0.583
`
`Score = 0.583
`
`FIG. 6
`
`FIG . 6
`
`Aggregated Scores
`
`Aggregated
`Scores
`
`601
`
`601
`
`Host
`A
`
`Host
`
`A
`
`User
`1
`
`User
`
`1
`
`Score = 36.143 Score = 5.4561
`
`Score = 5.456
`
`Score = 36.143
`
`IP
`1.1.1.1
`
`1.1.1.1
`
`IP
`
`Score = 100.572
`
`Score = 100.572
`
`0.572
`From IP 1.1.1.1
`Database 2 ]
`From
`Aggregated Score
`Node
`
`0.572
`
`N/A
`
`N / A
`
`IP 1.1.1.1
`
`100.572
`
`100.572
`IP 1.1.1.1
`
`Node Aggregated
`Score
`
`From
`IP 1.1.1.1
`
`From
`Database 2
`
`36.143
`
`34.482
`
`1.661
`
`1.661
`34.482
`36.143
`
`5.351
`
`0.105
`
`5.351
`0.105
`
`5.456
`
`5.456
`
`User 1
`
`User 1
`
`Host A
`
`Host A
`
`15.517
`4.815
`0.036 1
`0.011
`
`0.011
`
`4.815
`
`0.036
`
`15.517
`
`IP 92.168.1.1 15.553
`
`15.553
`
`IP 92.168.1.11
`
`4.826
`
`4.826
`Database 1
`
`Database 1
`
`N/A
`
`N / A
`
`1.661
`
`0.032
`1.661 0.011
`0.572
`
`0.032
`
`0.011
`
`0.572
`
`1.693
`
`1.693
`
`User 100
`
`User 100
`
`0.583
`
`0.583
`
`IP 1.1.1.100
`
`IP 1.1.1.100
`
`Database 2 100.011
`
`0.011
`
`0.011
`100.011
`Database 2
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 11 of 17
`LI Jo H laallS 610Z `ZI 'aaa
`
`US 2019/0379700 A1
`IV 00L6L£0/6I0Z SR
`
`I
`
`I
`
`I
`
`Cluster 1
`
`Cluster 1
`
`701
`
`701
`
`0011111.
`
`IP 1.1.1.1
`
`(\ 1.1.1.1
`
`I
`
`Score = 100.572
`
`Score = 100.572
`
`Cluster Formation
`
`Cluster
`Formation
`
`Database
`
`Database
`1
`
`1
`
`Score = 4.826
`
`Score = 4.826
`
`IP
`92.168.1.1
`
`IP 92.168.1.1
`
`Host
`A
`
`Host A
`
`2
`
`711
`
`711
`
`MINIMINIMP
`
`User
`1
`
`User
`
`Score = 36.143 Score = 5.456
`
`Score = 5.456
`
`Score = 36.143
`
`Score = 15.553 •
`
`Score = 15.553
`
`MINNOW MM..
`
`Database
`2
`
`Database 2
`
`. 4%46
`
`\
`
`\ Score = 100.011
`
`Score - 100.011
`
`OEM!
`
`User
`100
`
`User 100
`
`1~10
`
`111111.1.111
`
`wow. ammo.
`
`•
`
`Cluster 1 Score =
`262.561
`
`Cluster 1 Score = 262.561
`
`gm(s) = 1.0
`
`Wgm ( s ) = 1.0
`
`wg,,,(b) = 0.9
`
`= 0.9
`
`Wgm ( b )
`
`Score = 1.693
`
`Score = 1.693
`
`IP
`1.1.1.100
`
`IP 1.1.1.100
`
`Score = 0.583
`
`Score = 0.583
`
`FIG. 7
`
`FIG . 7
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 12 of 17
`LI Jo ZI loollS 610Z `ZI 'aaa
`
`US 2019/0379700 A1
`IV 00L6L£0/6I0Z SR
`
`IP
`.1.100
`
`IP 1.1.1.100
`
`***
`
`Score = 100
`
`Score = 100
`
`IP
`1.1.1.99
`
`IP 1.1.1.99
`
`Score =
`
`Score 0
`
`Example 2 : Native
`Scores
`
`Example 2: Native Scores
`
`User
`100
`
`User 100
`
`Score:
`
`Score = 0
`
`User
`99
`
`User 99
`
`Score = 0
`
`Score = 0
`
`•
`
`•
`
`•
`
`•
`
`•
`
`Host A
`
`Host A
`
`Score =
`
`Score = 0
`
`wwwwwwww .
`
`C
`
`FIG. 8
`
`FIG . 8
`
`User
`1
`
`User
`
`1
`
`Score = 0
`
`Score = 0
`
`User
`2
`
`User 2
`
`Score = 0
`
`Score = 0
`
`801
`
`801
`
`7
`
`1
`
`.
`
`AU
`
`Score = 100
`
`Score = 100
`
`IP 1.1.1.1
`
`IP
`1.1.1.2
`
`IP 1.1.1.2
`
`Score = 0
`
`Score = 0
`
`Wgm(s) =1.0
`
`Wgm ( s ) = 1.0
`
`= 0 9
`•
`
`= 0.9
`
`-
`
`w
`gm(b)
`
`Wgm ( b )
`
`

`

`Patent Application Publication
`
`• •
`
`Dec. 12 , 2019 Sheet 13 of 17
`LI JO £i JoolIS 610Z `ZI 'aaU
`
`US 2019/0379700 A1
`IV 00L6L£0/6I0Z SR
`
`IP
`1.1.1.99
`
`IP 1.1.1.99
`
`Score = 0.011
`
`Score = 0.011
`
`User \ \
`
`User
`
`99
`
`Score = 0.033
`
`Score = 0.033
`
`User
`2
`
`User
`
`2
`
`•
`
`•
`
`•
`
`Score = 0.033
`
`Score = 0.033
`
`IP
`1.1.1.2
`
`IP 1.1.1.2
`
`Score = 0.011
`
`Score = 0.011
`
`FIG. 9
`
`FIG . 9
`
`Propagated Scores from Node IP 1.1.1.1
`
`Propagated
`Scores
`from
`Node IP 1.1.1.1
`
`IP 1.1.1.100
`
`IP
`1.1.1.100
`
` (
`
`User
`
`User
`
`100
`
`Host A
`
`Host A
`
` E User
`1
`
`User
`
`1
`
`
`
`Score =0.01.1 0.011
`
`Score = 0.011
`
`Score = 0.033
`
`Score = 0.033
`
`\ \
`
`Score = 0.107
`
`Score = 0.107
`
`/
`
`Score = 34.48
`
`Score = 34.48
`
`23
`
`901
`
`901
`
`23
`
`Score = 100
`
`Score = 100
`
`IP 1.1.1.1
`
`gm ( s ) = 1.0
`
`Wgm(s) =1.0
`
`Wgm ( b ) = 0.9
`
`w
`gm(b)
`
`= 0 9
`•
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 14 of 17
`LI Jo rt loollS 610Z `ZI 'aaa
`
`US 2019/0379700 A1
`IV 00L6L£0/6I0Z SR
`
`Propagated
`Scores
`from
`Node IP 1.1.1.100
`
`Propagated Scores from Node IP 1.1.1.100
`
`1001
`
`IP
`1.100
`
`IP 1.1.1.100
`
`3
`
`w
`
`.
`
`.
`
`Use;
`100
`
`User 100
`
`Score = 100
`
`Score = 100
`
`Score = 34.48
`
`Score = 34.48
`
`Host A
`
`Host A
`
`•
`
`•
`Score = 0.107 • \
`•
`
`Score = 0.107
`
`User
`1
`
`User
`
`IP
`
`IP 1.1.1.1
`
`Score = 0.033
`
`Score = 0.033
`
`Score = 0.011
`
`Score = 0.011
`
`User
`99
`
`User 99
`
`Score = 0.033
`
`Score = 0.033
`
`User
`2
`
`User 2
`
`Score = 0.033
`
`Score = 0.033
`
`IP
`1.1.1.99
`
`IP 1.1.1.99
`
`Score = 0.011
`
`Score = 0.011
`
`IP
`1.1.1.2
`
`IP 1.1.1.2
`
`Score = 0.011
`
`Score = 0.011
`
`w
`gm(s)
`
`= 1.0
`
`Wgm ( s ) = 1.0
`
`FIG. 10
`
`FIG . 10
`
`w
`gm(b)
`
`= 0 9
`
`Wgm ( b ) = 0.9
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 15 of 17
`LI Jo SI loollS 610Z `ZI 'aaa
`
`US 2019/0379700 A1
`IV 00L6L£0/6I0Z SR
`
`Aggregated Scores
`
`Aggregated
`Scores
`
`1101
`
`11)
`
`IP 1.1.1.100
`
`User
`100
`
`User 100
`
`\
`
`Score = 100.011
`
`Score = 100.011
`
`Score = 34.513
`
`Score = 34.513
`
`Host A
`
`Host A
`
`•
`
`•
`Score = 0.214 • \
`•
`
`Score = 0.214
`
`User
`1
`
`User
`
`IP
`
`IP 1.1.1.1
`
`Score = 34.513
`
`Score = 34.513
`
`Score = 100.011
`
`Score = 100.011
`
`User
`99
`
`User 99
`
`Score = 0.066
`
`Score = 0.066
`
`User
`2
`
`User 2
`
`Score = 0.066
`
`Score = 0.066
`
`IP 1.1.1.99
`
`1.1.1.99
`
`Score = 0.022
`
`Score = 0.022
`
`FIG. 11
`
`FIG . 11
`
`IP
`1.1.1.2
`
`IP 1.1.1.2
`
`Score = 0.022
`
`Score = 0.022
`
`= 1.0
`
`1.0
`
`Wgm ( s )
`
`gm(s)
`
`W
`
`Wgm(b) = 0.9
`
`Wgm ( b ) = 0.9
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`LI JO 91 1oollS 610Z `ZI 'aaa
`
`Dec. 12 , 2019 Sheet 16 of 17
`
`IV 00L6L£0/6I0Z SR
`
`US 2019/0379700 A1
`
`1111101101111
`
`Cluster Formation
`
`Cluster
`Formation
`
`1211
`
`1201
`
`Host A
`
`Host A
`
`\ ♦
`
`\
`
`•
`Score = 0.214
`
`Score = 0.214
`
`/
`
`I
`
`User
`1
`
`User
`
`13 /
`
`Score = 34.513 j
`
`Score = 34.513
`
`•
`
`•
`
`•
`
`User
`2
`
`User 2
`
`Score = 0.066
`
`Score = 0.066
`
`FIG. 12
`
`FIG . 12
`
`Cluster 1
`
`Cluster 1
`
`IP 1.1.1.1
`
`Score = 100.011
`
`Score - 100.011
`
`Cluster 1 Score =
`134.524
`
`Cluster 1 Score 134.524
`
`tretien
`
`IP
`1.1.1.2
`
`IP 1.1.1.2
`
`Score = 0.022
`
`Score = 0.022
`
`1.0
`
`gm (s) = 1.0
`
`Wgm ( s )
`
`= 0.9
`
`=
`
`= 0.9
`
`w
`gm(b)
`
`Wgm ( b )
`
`IP
`.1.1.100
`
`IP 1.1.1.100
`
`Score = 100.011
`
`Score
`100.011
`
`Cluster 2 Score =
`134.524
`
`Cluster 2 Score 134.524
`
`IP
`1.1.1.99
`
`IP 1.1.1.99
`
`Score = 0.022
`
`Score = 0.022
`
`User
`100
`
`100
`
`User
`
`I
`
`Score = 34.513
`
`Score = 34.513
`
`User
`99
`
`User 99
`
`Score = 0.066
`
`Score = 0.066
`
`1217
`
`1217
`
`fiall■Ram
`
`Cluster 2
`
`Cluster 2
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Dec. 12 , 2019 Sheet 17 of 17
`LI Jo LI WIN 610Z `ZI 'aaI
`
`US 2019/0379700 A1
`TV 00L6L£0/6I0Z SR
`
`1300
`
`1300
`
`Alert
`Prioritization
`Engine 158
`
`Alert Prioritization Engine
`158
`
`4_
`
`Storage Subsystem 1310
`
`Storage
`Subsystem
`1310
`
`Memory Subsystem 1322
`
`Memory
`Subsystem
`1322
`
`User Interface
`Input Devices
`1338
`
`Interface Input
`Devices 1338
`User
`
`Storage Subsystem 1336
`File
`
`File Storage
`Subsystem
`1336
`
`ROM
`1334
`
`ROM 1334
`
`RAM 1332
`
`1332
`
`Bus Subsystem 1355
`
`Bus
`Subsystem
`1355
`
`GPU, FPGA
`1378
`
`GPU , FPGA 1378
`
`Interface Output
`Devices 1376
`User
`
`User Interface
`Output Devices
`1376
`
`Interface Subsystem 1374
`Network
`
`Network Interface
`Subsystem
`1374
`
`FIG. 13
`
`FIG . 13
`
`A
`
`V
`
`CPU
`1372
`
`CPU 1372
`
`

`

`US 2019/0379700 A1
`US 2019/0379700 Al
`
`1
`1
`
`Dec. 12 , 2019
`Dec. 12, 2019
`
`SYSTEMS AND METHODS FOR ALERT
`SYSTEMS AND METHODS FOR ALERT
`PRIORITIZATION USING SECURITY
`PRIORITIZATION USING SECURITY
`EVENTS GRAPH
`EVENTS GRAPH
`
`PRIORITY DATA
`PRIORITY DATA
`This application claims the benefit of U.S. Provi
`[ 0001 ]
`[0001] This application claims the benefit of U.S. Provi-
`sional Patent Application No. 62 / 683,795 , entitled “ ALERT
`sional Patent Application No. 62/683,795, entitled "ALERT
`PRIORITIZATION USING GRAPH ALGORITHMS ” ,
`PRIORITIZATION USING GRAPH ALGORITHMS",
`filed on Jun . 12 , 2018 ( Atty . Docket No. NSKO 1022-1 ) . The
`filed on Jun. 12, 2018 (Atty. Docket No. NSKO 1022-1). The
`provisional application is incorporated by reference as if
`provisional application is incorporated by reference as if
`fully set forth herein .
`fully set forth herein.
`INCORPORATIONS
`INCORPORATIONS
`[ 0002 ] The following materials are incorporated by refer
`[0002] The following materials are incorporated by refer-
`ence as if fully set forth herein :
`ence as if fully set forth herein:
`[ 0003 ] U.S. Provisional Patent Application No. 62/683 ,
`[0003] U.S. Provisional Patent Application No. 62/683,
`789 , entitled “ SYSTEM TO SHOW DETAILED STRUC
`789, entitled "SYSTEM TO SHOW DETAILED STRUC-
`TURE IN A MODERATELY SIZED GRAPH ” , filed on Jun .
`TURE IN A MODERATELY SIZED GRAPH", filed on Jun.
`12 , 2018 ( Atty . Docket No. NSKO 1024-1 ) .
`12, 2018 (Atty. Docket No. NSKO 1024-1).
`[ 0004 ] Contemporaneously filed U.S. patent application
`[0004] Contemporaneously filed U.S. patent application
`entitled “ SYSTEMS AND METHODS TO
`Ser . No.
`Ser. No.
`, entitled "SYSTEMS AND METHODS TO
`SHOW DETAILED STRUCTURE IN
`A SECURITY
`SHOW DETAILED STRUCTURE IN A SECURITY
`2019 ( Atty . Docket
`EVENTS GRAPH ” , filed on
`EVENTS GRAPH", filed on
`, 2019 (Atty. Docket
`No. NSKO 1024-2 ) .
`No. NSKO 1024-2).
`FIELD OF THE TECHNOLOGY DISCLOSED
`FIELD OF THE TECHNOLOGY DISCLOSED
`[ 0005 ] The technology disclosed relates to graph presen
`[0005] The technology disclosed relates to graph presen-
`tation for prioritization of security incidents .
`tation for prioritization of security incidents.
`BACKGROUND
`BACKGROUND
`[ 0006 ] The subject matter discussed in this section should
`[0006] The subject matter discussed in this section should
`not be assumed to be prior art merely as a result of its
`not be assumed to be prior art merely as a result of its
`mention in this section . Similarly , a problem mentioned in
`mention in this section. Similarly, a problem mentioned in
`this section or associated with the subject matter provided as
`this section or associated with the subject matter provided as
`background should not be assumed to have been previously
`background should not be assumed to have been previously
`recognized in the prior art . The subject matter in this section
`recognized in the prior art. The subject matter in this section
`merely represents different approaches , which in and of
`merely represents different approaches, which in and of
`themselves can also correspond to implementations of the
`themselves can also correspond to implementations of the
`claimed technology .
`claimed technology.
`[ 0007 ] Security analysts use log data generated by security
`[0007] Security analysts use log data generated by security
`and operations systems to identify and protect enterprise
`and operations systems to identify and protect enterprise
`networks against cybersecurity threats . Gigabytes of log
`networks against cybersecurity threats. Gigabytes of log
`security and operations log data can be generated in a short
`security and operations log data can be generated in a short
`time . These logs contain security events with varying levels
`time. These logs contain security events with varying levels
`of threat . Firstly , it is difficult for an analyst to go through
`of threat. Firstly, it is difficult for an analyst to go through
`these logs and identify the alerts that need immediate
`these logs and identify the alerts that need immediate
`attention . Secondly , it is difficult to identify different com
`attention. Secondly, it is difficult to identify different com-
`puter network entities related to a particular alert . Graphs
`puter network entities related to a particular alert. Graphs
`can be used to visualize computer network entities which are
`can be used to visualize computer network entities which are
`connected to other entities through edges . However for a
`connected to other entities through edges. However for a
`typical enterprise network , graphs can become very large
`typical enterprise network, graphs can become very large
`with hundreds of thousands of entities connected through
`with hundreds of thousands of entities connected through
`tens of millions edges . Security analysts are overwhelmed
`tens of millions edges. Security analysts are overwhelmed
`by such graphs of security events and they can miss most
`by such graphs of security events and they can miss most
`important alerts and entities related to those alerts . Some of
`important alerts and entities related to those alerts. Some of
`these alerts are false positives . In most cases , a well - planned
`these alerts are false positives. In most cases, a well-planned
`cyberattack impacts more than one entity in the enterprise
`cyberattack impacts more than one entity in the enterprise
`network . It is difficult for security analysts to review the
`network. It is difficult for security analysts to review the
`graph and identify groups of entities impacted by one or
`graph and identify groups of entities impacted by one or
`more alerts in the logs .
`more alerts in the logs.
`[ 0008 ] Therefore , an opportunity arises to automatically
`[0008] Therefore, an opportunity arises to automatically
`identify groups of entities in an enterprise network that are
`identify groups of entities in an enterprise network that are
`
`impacted by one or more alerts in the logs of data generated
`impacted by one or more alerts in the logs of data generated
`by security systems in a computer network .
`by security systems in a computer network.
`BRIEF DESCRIPTION OF THE DRAWINGS
`BRIEF DESCRIPTION OF THE DRAWINGS
`[ 0009 ]
`In the drawings , like reference characters generally
`[0009]
`In the drawings, like reference characters generally
`refer to like parts throughout the different views . Also , the
`refer to like parts throughout the different views. Also, the
`drawings are not necessarily to scale , with an emphasis
`drawings are not necessarily to scale, with an emphasis
`instead generally being placed upon illustrating the prin
`instead generally being placed upon illustrating the prin-
`ciples of the technology disclosed . In the following descrip
`ciples of the technology disclosed. In the following descrip-
`tion , various implementations of the technology disclosed
`tion, various implementations of the technology disclosed
`are described with reference to the following drawings , in
`are described with reference to the following drawings, in
`which :
`which:
`[ 0010 ] FIG . 1 illustrates an architectural level schematic
`[0010] FIG. 1 illustrates an architectural level schematic
`of a system in which an alert prioritization engine is used to
`of a system in which an alert prioritization engine is used to
`automatically group security alerts and present prioritized
`automatically group security alerts and present prioritized
`alerts to a security analyst .
`alerts to a security analyst.
`[ 0011 ]
`FIG . 2 is a block diagram example of components
`[0011] FIG. 2 is a block diagram example of components
`of the alert prioritization engine of FIG . 1 .
`of the alert prioritization engine of FIG. 1.
`[ 0012 ] FIG . 3 illustrates native scores assigned to nodes in
`[0012] FIG. 3 illustrates native scores assigned to nodes in
`a first example graph of an enterprise network .
`a first example graph of an enterprise network.
`[ 0013 ] FIGS . 4A , 4B , and 4C illustrate propagated scores
`[0013] FIGS. 4A, 4B, and 4C illustrate propagated scores
`from a first starting node in the first example graph presented
`from a first starting node in the first example graph presented
`in FIG . 3 .
`in FIG. 3.
`[ 0014 ] FIGS . 5A , 5B , and 5C illustrate propagated scores
`[0014] FIGS. 5A, 5B, and 5C illustrate propagated scores
`from a second starting node in the first example graph
`from a second starting node in the first example graph
`presented in FIG . 3 .
`presented in FIG. 3.
`[ 0015 ] FIG . 6 presents aggregate scores for nodes in the
`[0015] FIG. 6 presents aggregate scores for nodes in the
`first example graph presented in FIG . 3 .
`first example graph presented in FIG. 3.
`[ 0016 ] FIG . 7 presents cluster formation of connected
`[0016] FIG. 7 presents cluster formation of connected
`nodes in the first example graph presented in FIG . 3 .
`nodes in the first example graph presented in FIG. 3.
`[ 0017 ] FIG . 8 illustrates native scores assigned to nodes in
`[0017] FIG. 8 illustrates native scores assigned to nodes in
`a second example graph of an enterprise network .
`a second example graph of an enterprise network.
`[ 0018 ] FIG . 9 presents propagated scores from
`a first
`[0018] FIG. 9 presents propagated scores from a first
`starting node in the second example graph presented in FIG .
`starting node in the second example graph presented in FIG.
`8 .
`8.
`[ 0019 ] FIG . 10 presents propagated scores from a second
`[0019] FIG. 10 presents propagated scores from a second
`starting node in the second example graph presented in FIG .
`starting node in the second example graph presented in FIG.
`8 .
`8.
`[ 0020 ]
`FIG . 11 presents aggregate scores for nodes in the
`[0020] FIG. 11 presents aggregate scores for nodes in the
`second example graph presented in FIG . 8 .
`second example graph presented in FIG. 8.
`[ 0021 ] FIG . 12 presents cluster formation of connected
`[0021] FIG. 12 presents cluster formation of connected
`nodes in the second example graph presented in FIG . 8 .
`nodes in the second example graph presented in FIG. 8.
`[ 0022 ] FIG . 13 is a simplified block diagram of a computer
`[0022] FIG. 13 is a simplified block diagram of a computer
`system that can be used to implement the technology dis
`system that can be used to implement the technology dis-
`closed .
`closed.
`
`DETAILED DESCRIPTION
`DETAILED DESCRIPTION
`[ 0023 ] The following discussion is presented to enable any
`[0023] The following discussion is presented to enable any
`person skilled in the art to make and use the technology
`person skilled in the art to make and use the technology
`disclosed , and is provided in the context of a particular
`disclosed, and is provided in the context of a particular
`application and its requirements . Various modifications to
`application and its requirements. Various modifications to
`the disclosed implementations will be readily apparent to
`the disclosed implementations will be readily apparent to
`those skilled in the art , and the general principles defined
`those skilled in the art, and the general principles defined
`herein may be applied to other implementations and appli
`herein may be applied to other implementations and appli-
`cations without departing from the spirit and scope of the
`cations without departing from the spirit and scope of the
`technology disclosed . Thus , the technology disclosed is not
`technology disclosed. Thus, the technology disclosed is not
`intended to be limited to the implementations shown , but is
`intended to be limited to the implementations shown, but is
`to be accorded the widest scope consistent with the prin
`to be accorded the widest scope consistent with the prin-
`ciples and features disclosed herein .
`ciples and features disclosed herein.
`INTRODUCTION
`INTRODUCTION
`[ 0024 ] Protecting enterprise networks against cybersecu
`[0024] Protecting enterprise networks against cybersecu-
`rity attacks is a priority of every organization . Gigabytes of
`rity attacks is a prio