Detecting malicious lateral movement across a computer network

Assignee

• MICROSOFT TECHNOLOGY LICENSING, LLC · US

Inventors

• Jack Wilson Stokes, III · North Bend, US
• Robert Mead · Lostwithiel, GB
• Tim W. Burrell · Cheltenham, GB
• Ian Hellen · Seattle, US
• John J. Lambert · Seattle, US
• Weidong Cui · Redmond, US
• Andrey Marochko · Redmond, US
• Qingyun Liu · North Wales, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L2463/146
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

Graph-based detection systems and techniques are provided to identify potential malicious lateral movement paths. System and security events may be used to generate a network connection graph and detect remote file executions and/or other detections, for use in tracking malicious lateral movement across a computer network, such as a compromised computer network. Lateral movement determination across a computer network may be divided into two subproblems: forensic analysis and general detection. With forensic analysis, given a malicious node, possible lateral movement leading into or out of the node is identified. General detection identifies previously unknown malicious lateral movement on a network using a remote file execution detector, and/or other detectors, and a rare path anomaly detection algorithm.