Systems and methods for using event-correlation graphs to detect attacks on computing systems

Assignee

• Symantec Corporation · US

Inventors

• Kevin Roundy · El Segundo, US
• Fanglu Guo · Los Angeles, US
• Sandeep Bhatkar · Sunnyvale, US
• Tao Cheng · Urbana, US
• Jie Fu · Beijing, CN
• Zhi Kai Li · Zigong, CN
• Darren Shou · Village of La Jolla, US
• Sanjay Sawhney · Cupertino, US
• Acar Tamersoy · Culver City, US
• Elias Khalil · Atlanta, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/1433
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A computer-implemented method for using event-correlation graphs to detect attacks on computing systems may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing an event-correlation graph that includes a first node that represents the first actor, a second node that represents a second actor, and an edge that interconnects the first node and the second node and represents a suspicious event involving the first actor and the second actor, (3) calculating, based at least in part on the additional suspicious event, an attack score for the event-correlation graph, (4) determining that the attack score is greater than a predetermined threshold, and (5) determining, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event may be part of an attack on the computing system. Various other methods, systems, and computer-readable media are also disclosed.