`
`
`
`I IIIII IIIIIIII III IIIII!IIII)11118114111111IIIII 111111 IIII
`
`
`
`
`
`US010498845B1
`
`( 12 ) United States Patent
`(12) United States Patent
`Kapoor et al .
`Kapoor et al.
`
`( 10 ) Patent No .: US 10,498,845 B1
`(10) Patent No.: US 10,498,845 B1
`Dec. 3 , 2019
`( 45 ) Date of Patent :
`(45) Date of Patent:
`Dec. 3, 2019
`
`( 72 )
`
`( * ) Notice :
`(*)
`Notice:
`
`( 54 ) USING AGENTS IN A DATA CENTER TO
`USING AGENTS IN A DATA CENTER TO
`MONITOR NETWORK CONNECTIONS
`MONITOR NETWORK CONNECTIONS
`( 71 ) Applicant : Lacework Inc. , Mountain View , CA
`Applicant: Lacework Inc., Mountain View, CA
`( US )
`(US)
`Inventors : Vikram Kapoor , Cupertino , CA ( US ) ;
`Inventors: Vikram Kapoor, Cupertino, CA (US);
`Rakesh Sachdeva , Santa Clara , CA
`Rakesh Sachdeva, Santa Clara, CA
`( US ) ; Samuel Joseph Pullara , III , Los
`(US); Samuel Joseph Pullara, III, Los
`Altos , CA ( US )
`Altos, CA (US)
`( 73 ) Assignee : Lacework Inc. , Mountain View , CA
`Assignee: Lacework Inc., Mountain View, CA
`(73)
`( US )
`(US)
`Subject to any disclaimer , the term of this
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`patent is extended or adjusted under 35
`U.S.C. 154 ( b ) by 0 days .
`U.S.C. 154(b) by 0 days.
`( 21 ) Appl . No .: 16 / 134,836
`(21)
`Appl. No.: 16/134,836
`Sep. 18 , 2018
`( 22 ) Filed :
`(22) Filed:
`Sep. 18, 2018
`Related U.S. Application Data
`Related U.S. Application Data
`( 60 ) Provisional application No. 62 / 590,986 , filed on Nov.
`(60) Provisional application No. 62/590,986, filed on Nov.
`27 , 2017 , provisional application No. 62 / 650,971 ,
`27, 2017, provisional application No. 62/650,971,
`filed on Mar. 30 , 2018 .
`filed on Mar. 30, 2018.
`Int . Ci .
`( 51 )
`(51) Int. Cl.
`H04L 29/08
`HO4L 29/08
`GO6F 9/54
`GO6F 9/54
`G06F 9/455
`GO6F 9/455
`H04L 29/06
`HO4L 29/06
`G06F 16/901
`GO6F 16/901
`GOOF 16/9038
`GO6F 16/9038
`GOOF 16/9537
`GO6F 16/9537
`( 52 ) U.S. CI .
`(52) U.S. Cl.
`CPC
`CPC
`
`( 2006.01 )
`(2006.01)
`( 2006.01 )
`(2006.01)
`( 2018.01 )
`(2018.01)
`( 2006.01 )
`(2006.01)
`( 2019.01 )
`(2019.01)
`( 2019.01 )
`(2019.01)
`( 2019.01 )
`(2019.01)
`
`H04L 67/22 ( 2013.01 ) ; G06F 9/455
` HO4L 67/22 (2013.01); GO6F 9/455
`( 2013.01 ) ; G06F 9/545 ( 2013.01 ) ; G06F
`(2013.01); GO6F 9/545 (2013.01); GO6F
`16/9024 ( 2019.01 ) ; G06F 16/9038 ( 2019.01 ) ;
`16/9024 (2019.01); GO6F 16/9038 (2019.01);
`G06F 16/9537 ( 2019.01 ) ; H04L 63/1425
`GO6F 16/9537 (2019.01); HO4L 63/1425
`( 2013.01 )
`(2013.01)
`
`( 56 )
`(56)
`
`HO4L 67/1002
`H04L 67/1002
`714/13
`714/13
`G06F 21/552
`G06F 21/552
`709/203
`709/203
`
`( 58 )
`Field of Classification Search
`(58) Field of Classification Search
`CPC . H04L 67/22 ; H04L 63/1425 ; GOOF 16/9038 ;
`CPC . H04L 67/22; H04L 63/1425; G06F 16/9038;
`G06F 16/9537 ; G06F 16/9024 ; G06F
`G06F 16/9537; G06F 16/9024; G06F
`9/455 ; G06F 9/545
`9/455; G06F 9/545
`See application file for complete search history .
`See application file for complete search history.
`References Cited
`References Cited
`U.S. PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS
`5,584,024 A
`12/1996 Shwartz
`12/1996 Shwartz
`5,584,024 A
`5,806,062 A
`9/1998 Chen
`9/1998 Chen
`5,806,062 A
`8,103,906 B1 *
`1/2012 Alibakhsh
`1/2012 Alibakhsh
`8,103,906 B1 *
`2/2012 Clingenpeel
`8,122,122 B1 *
`8,122,122 B1 *
`2/2012 Clingenpeel
`5/2013 Wang
`8,443,442 B2
`8,443,442 B2
`5/2013 Wang
`10/2014 Zheng
`8,862,524 B2
`8,862,524 B2
`10/2014 Zheng
`9,021,583 B2
`4/2015 Wittenstein
`9,021,583 B2
`4/2015 Wittenstein
`9,332,020 B2
`5/2016 Thomas
`9,332,020 B2
`5/2016 Thomas
`9,515,999 B2
`12/2016 Ylonen
`9,515,999 B2
`12/2016 Ylonen
`( Continued )
`(Continued)
`OTHER PUBLICATIONS
`OTHER PUBLICATIONS
`Akoglu et al . , “ Graph - based Anomaly Detection and Description : A
`Akoglu et al., "Graph-based Anomaly Detection and Description: A
`Survey ” , Apr. 28 , 2014 .
`Survey", Apr. 28, 2014.
`
`( Continued )
`(Continued)
`Primary Examiner — Mohamed A. Wasel
`Primary Examiner — Mohamed A. Wasel
`( 74 ) Attorney , Agent , or Firm
`Van Pelt , Yi & James
`(74) Attorney, Agent, or Firm Van Pelt, Yi & James
`LLP
`LLP
`
`( 57 )
`ABSTRACT
`ABSTRACT
`(57)
`An agent executes in user space on a machine and monitors
`An agent executes in user space on a machine and monitors
`for network connections . In response to detecting an initia
`for network connections. In response to detecting an initia-
`tion of a network connection , data associated with a process
`tion of a network connection, data associated with a process
`associated with the network connection is collected , e.g. , by
`associated with the network connection is collected, e.g., by
`the agent . At least a portion of the collected process data is
`the agent. At least a portion of the collected process data is
`reported to an external node . The reported information is
`reported to an external node. The reported information is
`used to detect anomalies in a network environment .
`used to detect anomalies in a network environment.
`42 Claims , 63 Drawing Sheets
`42 Claims, 63 Drawing Sheets
`
`1800
`1800m4
`
`Receive data associated with activities occurring within
`Receive data associated with activities occurring within
`a network environment .
`a network environment.
`
`1802
`ir 1802
`
`Generate a logical graph model using at least a portion
`Generate a logical graph model using at least a portion
`of the activities .
`of the activities.
`
`ICJ
`
`1804
`
`•
`
`Detect an anomaly using the logical graph .
`Detect an anomaly using the logical graph.
`
`Generate an alert based on detecting the anomaly .
`Generate an alert based on detecting the anomaly.
`
`—1806
`-1806
`
`-1808
`
` F3-1808
`
`WIZ, Inc. EXHIBIT - 1111
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`( 56 )
`(56)
`
`References Cited
`References Cited
`U.S. PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS
`9,516,053 B1 12/2016 Muddu
`12/2016 Muddu
`9,516,053 B1
`9,596,253 B2 *
`3/2017 Chauhan
`9,596,253 B2 * 3/2017 Chauhan
`9,654,503 B1
`5/2017 Kowalyshyn
`9,654,503 B1
`5/2017 Kowalyshyn
`9,853,968 B2
`12/2017 Shen
`9,853,968 B2
`12/2017 Shen
`10,033,611 B1
`7/2018 Linkous
`10,033,611 B1
`7/2018 Linkous
`10,115,111 B2 10/2018 Miltonberger
`10,115,111 B2
`10/2018 Miltonberger
`10,127,273 B2 * 11/2018 Dickey
`10,127,273 B2 * 11/2018 Dickey
`10,142,357 B1 11/2018 Tamersoy
`10,142,357 B1
`11/2018 Tamersoy
`10,389,742 B2
`8/2019 Devi Reddy
`10,389,742 B2
`8/2019 Devi Reddy
`2002/0184225 A1 12/2002 Ghukasyan
`2002/0184225 Al
`12/2002
`Ghukasyan
`2003/0037136 A1 2/2003 Labovitz
`2003/0037136 Al
`2/2003
`Labovitz
`2003/0179227 Al 9/2003 Ahmad
`2003/0179227 Al
`9/2003 Ahmad
`2004/0015470 A1
`1/2004 Smith
`2004/0015470 Al
`1/2004 Smith
`2005/0102284 Al
`5/2005 Srinivasan
`2005/0102284 Al
`5/2005 Srinivasan
`2006/0085437 A1
`4/2006 Brodhun
`2006/0085437 Al
`4/2006 Brodhun
`2006/0259470 A1 11/2006 Chandrasekharan
`2006/0259470 Al
`11/2006 Chandrasekharan
`2007/0118909 A1 5/2007 Hertzog
`2007/0118909 Al
`5/2007 Hertzog
`2008/0148180 A1 6/2008 Liu
`2008/0148180 Al
`6/2008 Liu
`2009/0019160 A1 *
`1/2009 Schuler
`2009/0019160 Al *
`1/2009 Schuler
`
`2009/0271504 A1 * 10/2009 Ginter
`2009/0271504 Al * 10/2009 Ginter
`2010/0094767 Al 4/2010 Miltonberger
`4/2010 Miltonberger
`2010/0094767 Al
`2010/0114931 A1 5/2010 Xie
`5/2010 Xie
`2010/0114931 Al
`2010/0172261 A1 *
`7/2010 Shinbo
`2010/0172261 Al *
`7/2010
`Shinbo
`2010/0274785 Al 10/2010 Procopiuc
`Procopiuc
`10/2010
`2010/0274785 Al
`2011/0055138 Al 3/2011 Khanduja
`3/2011 Khanduja
`2011/0055138 Al
`2012/0005243 A1 1/2012 Van De Merwe
`2012/0005243 Al
`1/2012 Van De Merwe
`2012/0317151 A1 12/2012 Ruf
`2012/0317151 Al
`12/2012 Ruf
`2013/0304915 A1 * 11/2013 Kawai
`2013/0304915 Al* 11/2013 Kawai
`
`2014/0115001 A1 4/2014 Arroyo
`4/2014 Arroyo
`2014/0115001 Al
`2014/0359558 A1 12/2014 Chamberlain
`2014/0359558 Al
`12/2014 Chamberlain
`2015/0135312 A1 5/2015 Wada
`2015/0135312 Al
`5/2015 Wada
`2015/0341379 Al 11/2015 Lefebvre
`2015/0341379 Al
`11/2015 Lefebvre
`2016/0078365 A1 3/2016 Baumard
`2016/0078365 Al
`3/2016 Baumard
`2016/0080404 A1 3/2016 Kohout
`2016/0080404 Al
`3/2016 Kohout
`2016/0205125 A1 *
`7/2016 Kim
`2016/0205125 Al * 7/2016 Kim
`
`2016/0218911 A1 7/2016 Wessels
`Wessels
`7/2016
`2016/0218911 Al
`2016/0359592 A1 12/2016 Kulshreshtha
`2016/0359592 Al
`12/2016
`Kulshreshtha
`2017/0118240 A1 4/2017 Devi Reddy
`2017/0118240 Al
`4/2017 Devi Reddy
`2017/0163666 A1 *
`6/2017 Venkatramani
`2017/0163666 Al *
`6/2017 Venkatramani
`2017/0272344 Al *
`9/2017 Tang
`2017/0272344 Al * 9/2017 Tang
`2017/0279827 A1 9/2017 Savalle
`2017/0279827 Al
`9/2017 Savalle
`2018/0020015 A1 1/2018 Munro
`2018/0020015 Al
`1/2018 Munro
`2018/0034840 Al
`2/2018 Marquardt
`2018/0034840 Al
`2/2018 Marquardt
`2018/0063178 A1 3/2018 Jadhav
`2018/0063178 Al
`3/2018 Jadhav
`
`H04L 41/5009
`H04L 41/5009
`709/226
`709/226
`G05B 23/0213
`G05B 23/0213
`709/220
`709/220
`
`H04L 41/142
`H04L 41/142
`370/252
`370/252
`
`HO4L 43/026
`H04L 43/026
`709/224
`709/224
`
`HO4L 63/1416
`H04L 63/1416
`726/23
`726/23
`
`HO4L 63/0272
`H04L 63/0272
`HO4L 43/06
`H04L 43/06
`
`US 10,498,845 B1
`US 10,498,845 B1
`Page 2
`Page 2
`
`HO4L 63/1425
`H04L 63/1425
`
`2018/0115578 A1
`2018/0115578 Al
`2018/0173789 Al
`2018/0173789 Al
`2018/0174062 A1
`2018/0174062 Al
`2018/0181750 A1
`2018/0181750 Al
`2018/0248901 Al
`2018/0248901 Al
`2018/0288063 A1
`2018/0288063 Al
`2018/0367548 A1
`2018/0367548 Al
`2019/0132224 Al
`2019/0132224 Al
`2019/0259033 Al
`2019/0259033 Al
`
`4/2018 Subbarayan
`4/2018 Subbarayan
`6/2018 Llagostera
`6/2018 Llagostera
`6/2018 Simo
`6/2018 Simo
`6/2018 Lamothe - Brassard
`6/2018 Lamothe-Brassard
`8/2018 Rieke
`8/2018 Rieke
`10/2018 Koottayi
`10/2018 Koottayi
`12/2018 Stokes , III
`12/2018 Stokes, III
`5/2019 Verma
`5/2019 Verma
`8/2019 Reddy
`8/2019 Reddy
`
`G06F 16/24568
`G06F 16/24568
`
`OTHER PUBLICATIONS
`OTHER PUBLICATIONS
`Alex Beutel , “ User Behavior Modeling with Large - Scale Graph
`Alex Beutel, "User Behavior Modeling with Large-Scale Graph
`Analysis ” , Computer Science Department , Carnegie Mellon Uni
`Analysis", Computer Science Department, Carnegie Mellon Uni-
`versity , May 2016 .
`versity, May 2016.
`Danai Koutra , “ Exploring and Making Sense of Large Graphs ” ,
`Danai Koutra, "Exploring and Making Sense of Large Graphs",
`Computer Science Department , Carnegie Mellon University , Aug.
`Computer Science Department, Carnegie Mellon University, Aug.
`2015 .
`2015.
`Ranshous et al . , “ Anomaly detection in dynamic networks : a
`Ranshous et al., "Anomaly detection in dynamic networks: a
`survey ” , WIREs Comput Stat , May / Jun . 2015 .
`survey", WIREs Comput Stat, May/Jun. 2015.
`Christian Vaas and Jassim Happa . “ Detecting disguised processes
`Christian Vaas and Jassim Happa. "Detecting disguised processes
`using application - behavior profiling . ” In 2017 IEEE International
`using application-behavior profiling." In 2017 IEEE International
`Symposium on Technologies for Homeland Security ( HST ) , pp . 1-6 .
`Symposium on Technologies for Homeland Security (HST), pp. 1-6.
`IEEE , 2017 .
`IEEE, 2017.
`Jai Sundar Balasubramaniyan , Jose Omar Garcia - Fernandez , David
`Jai Sundar Balasubramaniyan, Jose Omar Garcia-Fernandez, David
`Isacoff , Eugene Spafford , and Diego Zamboni . “ An architecture for
`Isacoff, Eugene Spafford, and Diego Zamboni. "An architecture for
`intrusion detection using autonomous agents . ” In Proceedings 14th
`intrusion detection using autonomous agents." In Proceedings 14th
`annual computer security applications conference ( Cat . No.98EX217 ) ,
`annual computer security applications conference (Cat. No. 98EX217),
`pp . 13-24 . IEEE , 1998 .
`pp. 13-24. IEEE, 1998.
`Mark Crosbie and Eugene H. Spafford . “ Defending a computer
`Mark Crosbie and Eugene H. Spafford. "Defending a computer
`system using autonomous agents . ” ( 1995 ) .
`system using autonomous agents." (1995).
`Wathiq Laftah Al - Yaseen , Zulaiha Ali Othman , and Mohd Zakree
`Wathiq Laftah Al-Yaseen, Zulaiha Ali Othman, and Mohd Zakree
`Ahmad Nazri . “ Real - time intrusion detection system using multi
`Ahmad Nazri. "Real-time intrusion detection system using multi-
`agent system . ” IAENG International Journal of Computer Science
`agent system." IAENG International Journal of Computer Science
`43 , No. 1 ( 2016 ) : 80-90 .
`43, No. 1 (2016): 80-90.
`Bugiel et al . , Feb. 2012. Towards Taming Privilege - Escalation
`Bugiel et al., Feb. 2012. Towards Taming Privilege-Escalation
`Attacks on Android . In NDSS ( vol . 17 , p . 19 ) .
`Attacks on Android. In NDSS (vol. 17, p. 19).
`Hautamäki , Ville , Ismo Karkkainen , and Pasi Franti . “ Outlier detec
`Hautamaki, Ville, Ismo Karkkainen, and Pasi Franti. "Outlier detec-
`tion using k - nearest neighbour graph . ” Proceedings of the 17th
`tion using k-nearest neighbour graph." Proceedings of the 17th
`International Conference on Pattern Recognition , 2004. ICPR 2004 ..
`International Conference on Pattern Recognition, 2004. ICPR 2004..
`vol . 3. IEEE , 2004 .
`vol. 3. IEEE, 2004.
`Liao , Qi , Aaron Striegel , and Nitesh Chawla . “ Visualizing graph
`Liao, Qi, Aaron Striegel, and Nitesh Chawla. "Visualizing graph
`dynamics and similarity for enterprise network security and man
`dynamics and similarity for enterprise network security and man-
`agement . ” Proceedings of the seventh international symposium on
`agement." Proceedings of the seventh international symposium on
`visualization for cyber security . ACM , 2010 .
`visualization for cyber security. ACM, 2010.
`Tamassia , Roberto , Bernardo Palazzi , and Charalampos Papamanthou .
`Tamassia, Roberto, Bernardo Palazzi, and Charalampos Papamanthou.
`" Graph drawing for security visualization . ” International Sympo
`"Graph drawing for security visualization." International Sympo-
`sium on Graph Drawing . Springer , Berlin , Heidelberg , 2008 .
`sium on Graph Drawing. Springer, Berlin, Heidelberg, 2008.
`* cited by examiner
`* cited by examiner
`
`

`

`U.S. Patent
`lualud °S11
`
`Dec. 3 , 2019
`
`Sheet 1 of 63
`£9 JO I WIN
`
`US 10,498,845 B1
`Ill S178'8617'01 Sf1
`
`6
`
`7
`
`Reporting
`
`Redis
`
`Redis
`
`QsJobServer
`
`Qs JobServer
`
`Web Ap
`
`Web App
`
`-160
`
`160
`
`120
`
`2
`
`-130
`
`5—130
`
`102
`
`J-102
`
`-124
`
`J-124
`
`
`
`
`Aurora
`
`Aurora
`
`168
`
`16
`
`Query Service
`
`162
`
`162
`
`64
`
`Notifier
`Alert
`
`
`Query Service
`1662
`1705
`Reporting
`
`-164
`Alert Notifier
`GBM Runner
`
`DATABASE ( e.g. , SnowflakeDB )
`
`FIG . 1
`
`I
`
`Runner
`GBM
`
`GBM
`
`154
`2158
`
`Hawkeye
`
`Hawkeye
`
`Ag r
`Threa
`158
`
`156
`
`5
`
`Data Aggregator
`
`
`
`Data Aggregator
`
`106
`
`-106
`
`[
`
`-128
`
`128
`
`110
`
`BETA
`
`BETA
`
`CITY
`
`126
`
`118
`
`GBM
`Threat Aggr
`EAS -148 150
`SSH Tracker
`AWS Cloud Trail Analyzer
`
`148 5
`
`
`
`Tracker
`
`SSH
`
`Analyzer
`
`Trail
`Cloud
`A S
`
`EventGen
`Graph Gen
`-136
`
`5-136
`
`146-1_
`
`146
`
`EventGen
`
`Gen
`Graph
`
`FIG. 1
`
`DATABASE (e.g., SnowflakeDB)
`
`144_C
`
`144
`
`140
`142 142
`
`1
`
`DB Loader
`
`DB Loader
`
`S3 Loader
`
`S3 Loader
`
`S3
`
`S3
`
` 1
`
`Kinesis
`
`Kinesis
`
`Load Balancer
`
`
`
`Load Balancer
`
`-114
`
`114
`
`Data Aggregator
`
`
`
`Data Aggregator
`
`-126
`-118
`-104
`ACME
`
`108
`
`oa
`
`Agent An
`
`lAgent
`
`ACME
`
`liTgentT21
`
`Agent Az
`
`-122
`
`122
`
`-112
`Agent AL
`16
`116
`
`112
`
`1
`
`Agent ALli
`
`[132 _
`
` 5-134
`152-r
`
`
`
`152 152
`-134
`-132
`
`Agent Service
`
`Agent Service
`
`138
`
`3
`
`1724
`
`172
`
`

`

`U.S. Patent
`U.S. Patent
`
`Dec. 3 , 2019
`Dec. 3, 2019
`
`Sheet 2 of 63
`Sheet 2 of 63
`
`US 10,498,845 B1
`US 10,498,845 B1
`
`200
`200
`
`Receive packet .
`Receive packet.
`
`1
`
`Get connection information associated with packet .
`Get connection information associated with packet.
`
`1
`
`Determine process associated with connection .
`Determine process associated with connection.
`
`1
`
`Determine information about process ( e.g. , parents ,
`Determine information about process (e.g., parents,
`binary , user ) .
`binary, user).
`
`1
`
`Transmit information .
`Transmit information.
`
`-202
`J.202
`
`-204
`j.204
`
`-206
`y206
`
`-208
`y208
`
`-210
`J.210
`
`FIG . 2
`FIG. 2
`
`

`

`U.S. Patent
`U.S. Patent
`
`Dec. 3 , 2019
`Dec. 3, 2019
`
`Sheet 3 of 63
`Sheet 3 of 63
`
`US 10,498,845 B1
`US 10,498,845 B1
`
`300
`300 -Th‘
`
`304
`
`306
`30
`308
`30
`310
`310—
`
`328
`328—
`
`302
`y302
`" event " .
`"event": {
`" created time " : 1501626889179
`"created___time": 1501_626889179,
`" type " : " ProcessData " ,
`"type": "ProcessData",
`" data " :
`"data": f
`" net.lacework.model.agent . ProcessData " : {
`"net.lacework.model.agent.ProcessData":
`" pid " : 26191 ,
`"pid": 26191,
`" pid_hash " : 7372148259205580000 ,
`"pid hash": 7372148259205580000,
`" start_time " : 1501515701990 ,
`"start time": 1501515701990,
`" uid " : 0 ,
`"uid" 0,
`" euid " : 0 ,
`"euid": 0,
`" username " : {
`username":
`" string " : " root "
`"string": "root"
`} ,
`" ppid " : 1336 ,
`"ppid": 1336,
`
`" ppid_hash " : {
`"ppid hash": (
`" long " : 376175681985733950
`"long": 376175681985733950
`},
`" pgid " : 26191 ,
`"pgid": 26191,
`" pgid_hash " : {
`314
`314-1,...:pgid hash": {
`" long " : 7372148259205580000
`"long": 7372148259205580000
`} ,
`" sid " : 1336 ,
`"Sid": 1336,
`316-:sid hash": {
`" sid_hash " : {
`316
`" long " : 376175681985733950
`"long": 376175681985733950
`318 320
`},
`31
`" tty " : " O " ,
`• "0",
`328—)0—i21—"tt
`" cmdline_hash " : " 1fe756721a2Oddec981aa953bce34cla " ,
`"cm Wine hash": "lfe756721a2Oddee981aa953bee34ela",
`" exe_path " : {
`322-jexe_path":
`322
`' string " : " / usr / bin / containerd - shim "
`"string": "iusr/binlcontainerd-shim"
`
`312
`312
`•
`
`ij
`
`>
`
`324
`" eusername " : {
`324—L :eusername":
`" string " : " root "
`"string": "root"
`
`326
`326—L_
`
`" container id " : null
`. null
`"container
`
`}
`
`FIG . 3A
`FIG. 3A
`
`

`

`U.S. Patent
`U.S. Patent
`
`Dec. 3 , 2019
`Dec. 3, 2019
`
`Sheet 4 of 63
`Sheet 4 of 63
`
`US 10,498,845 B1
`US 10,498,845 B1
`
`350
`350 -Th‘
`
`352
`352
`
`" event " : {
`!' event":
`" created time " : 1501626889179 ,
`"created time": 1501626889179,
`" type " : " ProcessStatsData " ,
`"type": "ProcessStatsData",
`" data " : {
`"data": I
`" net.lacework.model.agent.ProcessStatsData " : {
`354-1
`354–
`"net.lacework.model.agent.ProcessStatsData":
`" pid hash " : 7372148259205580000 ,
`356_) ---"pid.___hash": 7372148259205580000,
`356
`" threads " : 10 .
`358_; ----"threads": 10,
`358
`" vsize " : 221245440 ,
`360
`360—t"-- "vsize": 221245440,
`" rsize " : 1296 ,
`"rsize": 1296,
`362
`362
`" utime " : 839 ,
`364
`"utime": 839,
`364
`" stime " : 2852
`"slime": 28.52
`
`I
`
`FIG . 3B
`FIG. 3B
`
`

`

`U.S. Patent
`U.S. Patent
`
`Dec. 3 , 2019
`Dec. 3, 2019
`
`Sheet 5 of 63
`Sheet 5 of 63
`
`US 10,498,845 B1
`US 10,498,845 B1
`
`" outgoing " : {
`"outgoing": (
`" net.lacework.model.agent . UniDirectionData " : {
`"net.lacework.model.agent.UniDirectionData": {
`" bytes " : 7524648 ,
`"bytes": 7524648,
`" compress ratio " : 0 ,
`"compress_ratio": 0,
`" compress_samples " : 0 ,
`"compress_samp1es": 0,
`" packet_len_hist " : {
`"packet_lenhist":
`" net.lacework.model.agent . Histogram " : {
`"net.lacework.model.agent.Histogram":
`" count " : 471 ,
`"count": 471,
`" sum " : 7524648 ,
`"sum": 7524648,
`" max " . 31856 ,
`"max": 31856,
`" std dev " : 0 ,
`"std_dev": 0,
`" buckets " : null
`"buckets": null
`}
`} ,
`},
`" session len hist " : {
`"session_len_hist":
`" net.lacework , model agent . Histogram " : {
`"net.lacework.model.agent.Histogram":
`" count " : 4 ,
`"count": 4,
`" sum " : 7524648 ,
`"sum": 7524648,
`" max " : 2532151 ,
`"max": 2532151,
`" std_dev " : 0 ,
`"std_dev": 0,
`" buckets " : null
`"buckets": null
`}
`}
`},
`" session_time_hist " : {
`"session_time_hist":
`" net.lacework.model.agent . Histogram " : {
`"net.lacework.model.agent.Histogram":
`" count " : 4 ,
`"count": 4,
`" sum " : 152452
`"sum": 152452,
`" max " : 52039 ,
`"max": 52039,
`" std_dev " : 0 ,
`"std_dev": 0,
`" buckets " : null
`"buckets": null
`
`??
`
`} ,
`},
`" session_switch_time_hist " : {
`"session_switch_time_hi st": {
`" net.lacework.model.agent . Histogram " : {
`"net.lacework.model.agent.Histogram":
`" count " : 3 ,
`"count": 3,
`" sum " : 544171 ,
`"sum": 544171,
`" max " : 223693 ,
`"max": 223693,
`" std dev " : 0 ,
`"std_dev": 0,
`" buckets " : null
`"buckets": null
`}
`}
`
`" incoming " : {
`"incoming": {
`" net.lacework.model.agent . UniDirection Data " : {
`"net.lacework.model.agent.UniDirectionData": {
`" bytes " : 1041 ,
`"bytes": 1041,
`" compress_ratio " : 0 ,
`"compress_ratio": 0,
`" compress_samples " : 0 ,
`"compress_samples": 0,
`" packet_len_hist " : {
`"packet_len_hist":
`" net.lacework.model.agent . Histogram " : {
`"net.lacework.model.agent.Histogram": {
`" count " : 6 ,
`"count": 6,
`" sum " : 1041 ,
`"sum": 1041,
`" max " : 298 ,
`"max": 298,
`" std_der " : 0 ,
`"std_dev": 0,
`" buckets " : null
`"buckets": null
`
`} ,
`},
`" session_len_hist " : {
`"session_len_hist":
`" net.lacework , model.agent.Histogram " : {
`"net.lacework.model.agent.Histogram": {
`" count " : 3 ,
`"count": 3,
`" sum " : 1041 ,
`"sum": 1041,
`" max " : 347 ,
`"max": 347,
`" std dev " : 0 ,
`"std_dev": 0,
`" buckets " : null
`"buckets": null
`
`" session time hist " : {
`"session_time_hist": {
`" net.lacework.model.agent . Histogram " : {
`"net.lacework.model.agent.Histogram": {
`" count " : 3 ,
`"count": 3,
`" sum " : 87 ,
`"sum": 87,
`" max " : 43 ,
`"max": 43,
`" std dev " : 0 ,
`"std_dev": 0,
`" buckets " : null
`"buckets": null
`
`} ,
`" session_switch_time_hist " : {
`"session_switch_time_hist":
`" net.lacework.model.agent . Histogram " : {
`"net.lacework.model.agent.Histogram": {
`" count " : 3 ,
`"count": 3,
`" sum " : 1750190 ,
`"sum": 1750190,
`" max " : 1180754 ,
`"max": 1180754,
`" std dev " : 0 ,
`"std_dev": 0,
`" buckets " : null
`"buckets": null
`
`} ,
`}
`
`FIG . 3C
`FIG. 3C
`
`FIG . 3D
`FIG. 3D
`
`

`

`U.S. Patent
`U.S. Patent
`
`Dec. 3 , 2019
`Dec. 3, 2019
`
`Sheet 6 of 63
`Sheet 6 of 63
`
`US 10,498,845 B1
`US 10,498,845 B1
`
`418
`18
`
`420
`20
`
`424
`42
`
`PID1
`PID1
`
`VM1
`VM1
`
`422
`22
`
`PID2
`PID2
`
`VM2
`/ VM2
`
`4043
`
`4107 4127
`4067 4087
`4047
`4063 4083
`4103 4123
`10.10.10.10 , 24256 , 11.11.11.11 , 45167 , TCP
`10.10.10.10, 24256, 11.11.11.11, 45167, TCP
`
`(
`
`App1
`App1
`( Apache )
`(Apache)
`
` <
`
`App2
`App2
`( Oracle )
`(Oracle)
`
`414
`
`.771
`
`402
`CN 0
`
`416
`
`FIG . 4
`FIG. 4
`
`

`

`U.S. Patent
`U.S. Patent
`
`Dec. 3 , 2019
`Dec. 3, 2019
`
`Sheet 7 of 63
`Sheet 7 of 63
`
`US 10,498,845 B1
`US 10,498,845 B1
`
`506
`506 -
`Connections : 7
`Connections: 7
`Sent : 10.5 KB
`Sent:10.5 KB
`Received : 29.3 KB
`Received: 29.3 KB
`Bandwidth : 11.0 B / sec
`Bandwidth: 11.0 B/sec
`508 TCP : 100 %
`TCP: 100%
`508
`
`Update_engine ( 7 )
`Update_engine (7)
`Update.core-os.net
`/ Update.core-os.net
`502
`502
`/
`504
`504
`
`FIG . 5
`FIG. 5
`
`

`

`US 10,498,845 B1
`Ill 07848617401 Sf1
`
`£9 Jo 8 laatis
`Sheet 8 of 63
`
`Dec. 3 , 2019
`
`INJ
`
`U.S. Patent
`lualed *S*11
`
`Received: 1,7 GB
`Sent: 892.4 MB
`Members: 5
`us-west-2,amazonaws.00m:443
`stage.s3.amazonaws,com:443,
`staging-collector-lacework.s3
`west-2,amazonaws.com:443,
`sfc-dskustomer-
`west-2.amazonaws.com:443,
`sfc-dskustomer-stages3-us-
`build-fr-lacework,s3-us-west-2.amazonaws.com:443,
`s3-us-
`Assodated FQDN(s):
`ype: s3.amazonaws.com
`
`stage.s3.amazonaws.com:443 , staging - collector - facework.s3
`west-2.amazonaws.com:443 , sfc - ds1 - customer - stage.s3 - us
`west-2.amazonaws.com:443 , sfc - ds1 - customer
`build - fr - lacework , s3-us-west-2.amazonaws.com:443 , 53 - us
`
`
`Associated FQDN ( 5 )
`Type : $ 3.amazonaws.com
`
`/T
`
`602
`
`602
`
`Kinesiss-Westz.amazonaws.com
`
`xxnamodb.us-wext2.amazonaws.com
`
`ito'
`2.arnagaws com
`nee s-
`ki
`amazonaws.com
`•
`amodb,us-we .amazonaws,com
`
`sewesrudmazonaws.de
`
`maz
`
`nce Jatadata
`
`
`
`istance Matadata
`
`
`
`monitoros test-Zamazonaws.com
`
`aceworklgraphgen (4
`
`doder
`
`
`
`docker hacework graphgen
`
`(3)
`laceworklgbm-runne
`
`laceworkígbm - ¡ unner ( 3 )
`
`docker
`
`docker
`
`(2)
`lacewoiWeventgen
`
`laceworkleventgen ( 2 )
`
`docker
`
`docker
`
`laceworkletl-history-loader
`
`lacework / ell - history - loader
`
`docker
`
`606
`
`606
`
`FIG.6
`
`FIG. 6
`
`laceworkissh-tracker
`
`acework / ssh - tracker
`
`docker
`
`lacework1s3-loader
`(2)
`
`lacework / s3 - loader ( 2 )
`
`docker
`
`dodo
`
`604
`seamazonaws.com ( 5 ) -
`
`--604
`
`azonaws.com (5)—
`
`Us-west-2.amazonaws.com:443 Members : 5 Sent : 892.4 MB
`
`Received : 1.7 GB
`
`
`
`hans Lavellore.com
`
`gof36 : ( 0 ) ( 5vc ( 3 )
`
`lamorkireporting
`
`
`
`acework reporting
`
`lactvarklapobserv• 2
`
`
`
`lacework aspobserver
`
`hapoxy
`
`docker
`
`et
`
`clients (10)
`Internel IP
`
`Internet P
`clients ( 10 )
`
`nginx (6)
`
`nginx ( 6 )
`
`External
`
`IPs(510)
`External
`
`Ps ( 510 )
`
`External IPs(7)
`Known
`
`
`Back External Ps77
`Known
`
`

`

`U.S. Patent
`lualud *S11
`
`Dec. 3 , 2019
`
`Sheet 9 of 63
`£9 JO 6 JaatiS
`
`US 10,498,845 B1
`IS C178'8617'01 Sfl
`
`pagerduty.com
`
`geruuty.uun
`
`- losjost,3212
`
`nos host.t16311;O
`
`dns.host - 28
`
`dns host 36 slack.com
`dns - host - 32
`
`708
`
`dos_host_37
`
`dns
`
`
`
`
`dns host 43
`
`
`host 37 dns host 1840 708
`
`-dnshost_44
`5
`dna host 43
`
`t,
`
`
`
`dns host 205 ,
`
`221 0 dns_host_90
`
`dos_host 90
`
`dns_host 83
`dns_host
`
`
`
`dosahost 219
`
`
`
`dns host 220
`
`clos_host221
`- 'dos host 83
`dos host 220 ‘o
``dos host 67
`ddosbhost,219
``"
`c.t)—dris host_66
`
`ssh (16479)dos host'206
`
`
`
`ssh ( 16479 ) dns host 206
`
`
`
`dns host 66
`
`
`
`dns host 67
`
`
`
`dns host 44
`
`L.)
`
`— \dos ho
`
`0 1 dnshast36 slackcom
`
`
`
`(5)
`dos ho 178
`
`lacework.net
`
`dnrhost_226 (2)
`
`dns " host_226 ( 2 )
`
`dB:31(2g 225
`
`
`
`dns host 225
`
`amazonaws.com:2 )
`
`amazonaws.com,(2
`
`706
`
`1.0.19.216
`
`1.0.19.216
`
`d s'host 105
`
`
`
`dns host 105
`
`dnshast233
`
`
`
`dns host 233
`
`dns3host 109
`
`
`
`-dns host_109
`
`dns ihost 235
`
`
`
`dns host 235
`
`dns_host_115410
`
`doslhast;i15:
`
`
`
`dns host 237
`
`,
`dna host 24
`exe_xe455(131).d s l'o?t 120/ Q
`ns4 0Q2 37
`
`dill o .125-
`
`
`OV dns host 24
`Ydns host125
`
`
`dns host 1201
`
`
`
`exe_45 ( 31 )
`exe - 514
`
`cl, host,28Lacemrknel
`
`dnsthöst = 163
`
`--Exe_68 ( 2 ) ,
`
`exe - 82 ( 14 )
`
`( SST
`
`=
`i.
`p ooterrrt•61(951
`dns host 184\
`
`pythiterm 28
`
`
`
`dns host 178
`
`dns host 181
`term_55 )
`python.term 28
`es
`
`
`python term 61/95 )
`python
`
`'''').thon term
`
`exe,63 (10)
`
`Instance "M mists
`
`
`
`Instance Metadata . $ 10 : 200 : 2.54
`
`servers ( 837 ) -exe.29 exe - 63 ( 10 )
`exe
`
`-.1o20,02.54
`
`83--exe :2_25
`
`selrvizal(iIP71
`
`Internal : P
`
`exe-82(14-1
`--
`—exe„68L(2).
`
`-----
`
`exe:44,(350)
`
`exe®14 , ( 350 )
`
`exe'15 ( 34)
`
`exe - 15 : ( 334 )
`
`10.200.100.28
`
`10,20A100.2
`
`---
`
`10.200.122
`
`1A200.1.22
`
`FIG. 7
`
`FIG . 7
`
`exe,90
`
`exe 90
`
`exe57 (3)
`
`exe_57 ( 3 )
`
`avakterm:251378)
`
`----- -
`
`1 .2001:146;4219,
`
`10.200 : 1 : 145
`
`java termi 0 (1328
`
`
`
`java tem_10 ( 1328 )
`
`ajava : ( 2,5
`
`lava
`Java ternit,_53.(14)
`
`
`
`sjáva tem 53714 )
`
`-exe - 6 ( 1379 )
`
`xe.125
`
`exe,
`
`
`
`exe16 (2)/ exejl1379)7": - — —
`
`ruby (66) exe 21 (151)
`
`ext16
`
`j at m_ 6 (14)
`
`javaterm : 16 / 14 / exe 16
`
`exe_21 ( 151 )
`exe_26 ( 2 )
`
`702
`
`702
`
`ruby ( 66 )
`
`sshd ( 421 )
`
`exe_81 (13) exe_66 (1041 )java term 29 sshd (421)
`
`
`
`java term 29 ( 233 )
`
`exe_81 ( 13 ) exe_66 ( 1041 ) ;
`
`eze_9 (290)
`
`exe_23 (758253)
`
`exe_23 ( 758253 )
`
`dhclient (336)
`-
`
`dhclient ( 336 )
`
`704
`
`704
`
`exe 67 (352)
`
`exe_67 ( 352 )
`
`External IPS ( 1349 )
`
`IPS (1349)
`External
`
`Internal IP clients
`
`Intemal IP clients ( 198 )
`
`a
`(198)
`
`
`
`706
`
`700-Thk
`
`700
`
`

`

`U.S. Patent
`lualud *S'il
`
`Dec. 3 , 2019
`
`Sheet 10 of 63
`1:9 Jo 01 1aatIS
`
`US 10,498,845 B1
`IR St78`86e0I Sil
`
`kinesis.us-wesi-2.amazonaws.com
`
`dynamodb.us-west-2.amazonaws.com
`
`email us-west-2 arnazorlaws con:
`•
`ec2.us-west-2.amazonawsoom
`•
`dynamodb.uwest-2.ffnazonaws com
`
`ec2.us-west-2.amazonaws.com
`
`email.us-west-2.amazonaws.com
`
`kros.us-west-2.amazonaws.com
`
`kms.us-west-2.amazonaws.com
`Kinesis.us-west-2.amazonaws.com
`
`laceworldsnowlake-mgr
`
`lacework / snowiake mgr
`
`aceworKidatacollector(13)
`
`acework / datacoilector ( 13 )
`
`monitoring.us-west-2.amazonaws.com
`
`mondoring.us-west2.amazonaws co r
`
`metrics.wavefront.com
`clogs-01.loggly.com
`
`metrics.wavefront.com
`
`logs--01.iogg kcom
`
`sts.amazonaws.com
`
`sis . amazonaws.com
`
`api lacework.net
`
`a i.lacework net
`
`.QuorurtiF eerrdin
`
`
`
`
`
`quorum QuorumPeer Main
`
`acework / graphgen ( 3 ) acework / gbm ( 4 ) Wali
`
`09 AM 110 AM 11 AM
`
`07 AM 108 AM 09 AM 10 AM 11 AM
`
`08 AM
`
`stack.com ( 2 ) acework.snowflakecomputing.com
`
`aceviork.snowriakecomputing.com
`
`stack.corn (2)
`
`s3 amazonaws.com (6)
`
`$ 3.amazonaws.com ( 6 )
`
`-,,__
`
`804
`
`sqs.us-west-2 amazonaws.com
`
`804 sqs.us-west-2.amazonaws.com
`
`802
`
`802
`
`..
`
`
`
`acework s3-us-west-2.amazonaws.com
`
`rds.us-west-2.amazonaws.com
`
`rds.us-west-2.amazonaws.com
`
`.N,-%Nk
`fekengine,(6)
`
`le engine
`
`-----:,..",buil8*.lawork..s3-us-west-2.arnazonaws.com
`
`laceviotonesostrnast%()
`
`
`
`lacewor ! sos master ( 3 )
`
`lacework / usage - recorder
`
`:acewondssh4rkker
`
`acework / ssh - tracker
`
`laceworRnmesos-slave (8)
`<‘(
`ruby . uentd (2)
`
`
`
`ruby fluenid
`
`jSVC ( 3 ) lacework / mesos - slave
`
`sic (3)
`
`.. lace.worldqsjobserver(?
`
`cl
`
`Jacework / asjobserv
`
`.
`
`'
`
`806
`
`806
`
`update.core-os.net
`
`update.core-os.net
`
`205.251.235.89
`
`0
`206251235 89
`
`Graph Off
`
`
`
`Cg Graph Diff
`
`e
`
`N- 814
`
`814
`
`Behavior
`Insider
`
`IMMO Q!
`
`laoeworlgraphgen4k0..iaoeworlog m (4) wet
`
`gal3r ‘')
`
`gof37
`lacework / gbm - runner- ( 3 )
`
`laceworkgbrn-ninner.(3)
`
` aceworkieventgerr(2:
`
`lacework / eveniger ( 2
`
`laceworkiamazon-sm-g
`
`lacework / amazon - sm - gwy
`
`812
`
`/
`
`FIG.8
`
`FIG. 8
`
`'04 AM 105 AM i06 AM i07 AM
`
`105 AM 06 AM
`
`'03 AM
`
`.02 AM
`
`12 AM 01 AM 02 AM 03 AM 04 AM
`
`laceworklusage-recorder
`
`wave₹ronthq!cadviscv (13)
`
`wavefronthq / cadvisor ( 13 )
`
`.01 AM
`
`Mon 5 June
`12 AM
`8- COE)
`
`Mon 5 June
`
`lag:work/4i
`
`oots.applicahonf(3)
`
`
`
`roots applications ( 3 )
`
`Vo
`laceiiorlilquery-servIce.(3)
`
`lacówork / query - service
`
`story lcader
`
`tor
`...C.-:-.-,add-
`
`laceworkispaA-master (3)
`
`lacework / spark - master ( 3 )
`
`
`
`python marathon_lb ( 10 )
`
`8
`
`python marathon lb (10)
`
`systemd -nehvorkd (13)
`
`
`
`systemd -networkd ( 13 )
`
`6
`
`ettliis
`
`lacework / et
`
`lace crld
`
`laceworlds3-loader (2)
`
`acework / s3 - loader ( 2 )
`
`systemd ( 2 )
`
`systernd (2)
`
`laceworkimaralhon-stack
`
`laceworkidb-load
`
`lacework / db - loader
`
`s hd (9)
`
`sshd ( 9 )
`
`laceworkkollecid (13)
`
`Internal - IP clients ( 6 ) -lacework / collectd ( 13 ) haproxy ( 10 )
`
`nginx (6)
`
`nginx ( 6 )
`
`laceworkragemsnri2)
`
`lacework / agentsiv ( 2 )
`
`etcdctl (3)
`
`etcdctl ( 3 )
`
`laceworklauln-server
`
`lacework / auth - server
`
`810
`
`810
`
`VOLGUEROCLCULEC
`
`Search-)
`
`Search
`
`locksmithal (3
`
`locksmithct ( 3 )
`
`808
`
`808
`
`ntpd (13)
`
`nipd ( 13 )
`
`10.603,239
`
`10.60 3.2.39
`
`acework / rainbow ( 2 )
`
`laceworldrainbow (2)
`
`External los (612)
`
`External Ips ( 612 )
`
`IntemallPliients,(6)
`
`,-.., \ ..)(-.
`
`nslance"Metada
`
`
`
`Instance Metadatas
`
`0.62.34.4
`
`812
`
`lacework / marathon ( 3 ) .
`
`tod2*(13 lacemrklairkw laceworlUmarathon (3'
`
`laceworWaterhnolification-rog
`
`
`
`lacework / marathon - slack " acework alert - notification - mor
`
`lacework / ainilo
`
`haproxy(10)
`
`
`
`Etcd2 ( 13 )
`
`ei'-------,..._
`
`Insider Behavior
`Application Launch
`Application Communication
`POLYGRAPHS
`
`Launch
`Application
`
`Communication
`Application
`
`POLYGRAPHS
`
`

`

`U.S. Patent
`lualud °S11
`
`Dec. 3 , 2019
`
`Sheet 11 of 63
`£9 JO H WIN
`
`US 10,498,845 B1
`Ill S178'8617'01 Sf1
`
`106 AM 07 AM 08 AM 09AM 11 AM 111 AM
`
`11 AM
`
`0
`
`107 AM 108 AM 09 AM 10 AM
`
`AM
`106
`
`javalgorum:QuorumPeeNain—Rildt-lacework33-us-west-23mazonaws.com
`
`3.amazonaws.com (2)
`
`$ 3.amazonaws.com ( 2 )
`
`dockerd
`
`cli (2
`
`lucli ( 2 )
`
`dockerd
`
`
`
`java.quorum QuorümPeerMain-- bizild - fr - lace work.S3-us-west-2.amazonaws.com
`
`laceworklam on,s ;gw
`
`lacework / amazon : Sm gwy
`
`lacework / red *
`
`laceworkgraphgen ( 3 ) clacéwork / query - service ( 2 )
`lacework / event?en ( 3 )
`
`Instance Metadata
`
`email.us-west-2.amazonaws.com
`
`emaltuRestlamazonaws.corn
`
`rds.us-west-2.amazonaws.com
`
`rds,us-westlamannaws.com
`
`20
`
`CI
`
`docker.io
`
`dockerio
`
`ji
`
`el!
`
`porno s
`
`Graph Diff
`
`
`
`E. Graph Diff
`
`Behavior
`Insider
`
`Launch
`Application
`
`pr n-graphgen-laceworKsks-west-2,amazonaws.com
`
`" prodn-graphgen-lacework.s3-us-west-2.amazonaws.com
`
`00
`
`912
`
`912
`
`910
`
`910
`
`81810 }
`
`902
`906 908
`904
`
`lacework snowflakecomputing.com
`
`904 -Ns.".-:---=";
`902
`
`laceworksnowflakecomputing,com
`
`908 —'
`906-f ,-53)
`
`slackcom (2)
`
`slack.com ( 2 )
`
`stdsl-cuStomer-stage.sks-westlamazonaws.corn
`
`-iris
`
`
`
`sfcds.1 - customer - stage s3-us-west-2.amazonaws.com
`
`N'
`
`922
`
`
`
`920 922
`
`920
`
`C
`
`gof3i laceworkialert-notification-mgr
`
`
`
`
`
`lacework / alert - notification - mgr instance Metadata .
`
`
`
`iii ....
`
`got3r
`
`laceworklaiMow
`
`lacework / airflow
`
`I ceworklagentri
`
`A lacework / agentsiv
`
`root's applications
`
`
`
`root's applications
`
`ban !
`
`Insider Behavior
`Application Launch
`Application Communication
`POLYGRAPHS
`
`IC