Systems and methods for reducing false positives when using event-correlation graphs to detect attacks on computing systems
US9166997B1 · kind B1 · utility
Assignee
Inventors
Key dates
| Filing date | Sep 19, 2013 |
| Grant date | Oct 20, 2015 |
| Priority date | — |
| Expiry date | Nov 26, 2033 |
Classification
- Technology area (CPC H)Electricity
- CPC primaryH04L63/1416
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
A computer-implemented method for reducing false positives when using event-correlation graphs to detect attacks on computing systems may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing an event-correlation graph that includes a first node that represents the first actor, a second node that represents a second actor, and an edge that represents an additional suspicious event involving the first actor and the second actor, (3) comparing the event-correlation graph with at least one additional event-correlation graph that represents events on at least one additional computing system, (4) determining that a similarity of the event-correlation graph and the additional event-correlation graph exceeds a predetermined threshold, and (5) classifying the suspicious event as benign based on determining that the similarity of the event-correlation graph and the additional event-correlation graph exceeds the predetermined threshold. Various other methods, systems, and computer-readable media are also disclosed.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.