Mixture model approach for network forecasting
US-9426036-B1 · Aug 23, 2016 · US
Privilege inference and monitoring based on network behavior
US10277618B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-10277618-B1 |
| Application number | US-201816174051-A |
| Country | US |
| Kind code | B1 |
| Filing date | Oct 29, 2018 |
| Priority date | May 18, 2018 |
| Publication date | Apr 30, 2019 |
| Grant date | Apr 30, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments are directed to monitoring network traffic. A monitoring engine may monitor network traffic associated with entities in one or more networks. A device relation model may be provided based on the entities and the network traffic. An inference engine associate the entities with privilege levels based on the device relation model based on an amount of access or an amount of control that source entities exert over the target entities. An anomaly engine may determine one or more interactions between the source entities and the target entities based on the monitored network traffic. The anomaly engine may generate escalation events based on the interactions associated with the source entities and the target entities where the target entities have a higher privilege level than the source entities. The anomaly engine may provide the escalation events to one or more users.
First claim
Opening claim text (preview).
What is claimed as new and desired to be protected by Letters Patent of the United States is: 1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more network computers perform the method comprising: instantiating a monitoring engine to perform actions, including: monitoring network traffic associated with a plurality of entities in one or more networks; and providing a device relation model based on the network traffic, the plurality of entities, and the one or more metrics based on the monitored network traffic; and instantiating an inference engine to perform actions, including: associating the plurality of entities with one or more privilege levels based on one or more device relation models and the one or more metrics; and increasing the one or more privilege levels for a source entity based on one or more metric values that are associated with one or more target entities that are linked to the source entity; and instantiating an anomaly engine to perform actions, including: determining one or more interactions between one or more source entities and the one or more target entities; providing one or more escalation events to one or more users based on the one or more interactions and the one or more privilege levels associated with the one or more source entities; and employing related credential information employed with one or more different applications having related activity from the one or more other activities to identify one or more sources of privilege escalation. 2. The method of claim 1 , wherein the anomaly engine performs further actions, comprising: determining each of the one or more users that is associated with one or more privilege policies; and employing the one or more privilege policies to determine which of the one or more escalation events to provide to each of the one or more users. 3. The method of claim 1 , wherein the anomaly engine performs further actions, comprising: employing one or more responses by the one or more users to the one or more provided escalation events to modify one or more privilege policies associated with the one or more users. 4. The method of claim 1 , further comprising: employing the monitoring engine to perform further actions including discovering a new entity in the one or more networks based on privilege activity monitoring; and employing the inference engine to perform further actions, including: adding the new entity to a dependency graph as a critical entity based on one or more of network conditions, entity behavior, or entity characteristics; and adding one or more inferred privilege levels to the critical entity in the dependency graph based on one or more of privilege activity information or privilege relation information. 5. The method of claim 1 , further comprising: employing the monitoring engine to perform further actions including discovering a new entity in the one or more networks based on protocol analysis and identifying remote access behavior directed to the one or more entities; and employing the inference engine to perform further actions, including: adding the new entity to an administration graph based on one or more of relationship information detected during administrative activities by the new entity; and adding one or more inferred privilege levels to the new entity in the administration graph based on one or more of privilege activity information or privilege relation information. 6. The method of claim 1 , wherein the anomaly engine performs further actions, comprising: traversing the one or more device relation models to trace network flows that pass through the one or more entities; and determine network traffic flows that are associated with one or more different applications having related activity from one or more other entities. 7. A system for monitoring network traffic in a network: one or more network computers, comprising: one or more memories that store instructions; and one or more processors that execute instructions that perform actions, including: instantiating a monitoring engine to perform actions, including: monitoring network traffic associated with a plurality of entities in one or more networks; and providing a device relation model based on the network traffic, the plurality of entities, and the one or more metrics based on the monitored network traffic; and instantiating an inference engine to perform actions, including: associating the plurality of entities with one or more privilege levels based on one or more device relation models and the one or more metrics; and increasing the one or more privilege levels for a source entity based on one or more metric values that are associated with one or more target entities that are linked to the source entity; and instantiating an anomaly engine to perform actions, including: determining one or more interactions between one or more source entities and the one or more target entities; providing one or more escalation events to one or more users based on the one or more interactions and the one or more privilege levels associated with the one or more source entities; and employing related credential information employed with one or more different applications having related activity from the one or more other activities to identify one or more sources of privilege escalation. 8. The system of claim 7 , wherein the anomaly engine performs further actions, comprising: determining each of the one or more users that is associated with one or more privilege policies; and employing the one or more privilege policies to determine which of the one or more escalation events to provide to each of the one or more users. 9. The system of claim 7 , wherein the anomaly engine performs further actions, comprising: employing one or more responses by the one or more users to the one or more provided escalation events to modify one or more privilege policies associated with the one or more users. 10. The system of claim 7 , further comprising: employing the monitoring engine to perform further actions including discovering a new entity in the one or more networks based on privilege activity monitoring; and employing the inference engine to perform further actions, including: adding the new entity to a dependency graph as a critical entity based on one or more of network conditions, entity behavior, or entity characteristics; and adding one or more inferred privilege levels to the critical entity in the dependency graph based on one or more of privilege activity information or privilege relation information. 11. The system of claim 7 , further comprising: employing the monitoring engine to perform further actions including discovering a new entity in the one or more networks based on protocol analysis and identifying remote access behavior directed to the one or more entities; and employing the inference engine to perform further actions, including: adding the new entity to an administration graph based on one or more of relationship information detected during administrative activities by the new entity; and adding one or more inferred privilege levels to the new entity in the administration graph based on one or more of privilege activity information or privilege relation information. 12. The system of claim 7 , wherein the anomaly engine performs further actions, comprising: traversing the one or more device relation models to trace network flows that pass through the one or more entities; and determine network traffic flows that are associated with one or more different applicati
Assignees
Inventors
Classifications
comprising network management agents or mobile agents therefor · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Multiple levels of security · CPC title
Event detection, e.g. attack signature detection · CPC title
related to network traffic · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10277618B1 cover?
- Embodiments are directed to monitoring network traffic. A monitoring engine may monitor network traffic associated with entities in one or more networks. A device relation model may be provided based on the entities and the network traffic. An inference engine associate the entities with privilege levels based on the device relation model based on an amount of access or an amount of control tha…
- Who is the assignee on this patent?
- Extrahop Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Apr 30 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).