Detecting malicious online activities using event stream processing over a graph database
US-9967265-B1 · May 8, 2018 · US
Cognitive offense analysis using contextual data and knowledge graphs
US10958672B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10958672-B2 |
| Application number | US-201916712569-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 12, 2019 |
| Priority date | Aug 15, 2016 |
| Publication date | Mar 23, 2021 |
| Grant date | Mar 23, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An automated method for processing security events in association with a cybersecurity knowledge graph. The method begins upon receipt of information from a security system representing an offense. An initial offense context graph is built based in part on context data about the offense. The graph also activity nodes connected to a root node; at least one activity node includes an observable. The root node and its one or more activity nodes represent a context for the offense. The knowledge graph, and potentially other data sources, are then explored to further refine the initial graph to generate a refined graph that is then provided to an analyst for further review and analysis. Knowledge graph exploration involves locating the observables and their connections in the knowledge graph, determining that they are associated with known malicious entities, and then building subgraphs that are then merged into the initial graph.
First claim
Opening claim text (preview).
Having described our invention, what we claim is as follows: 1. A method for processing event data, comprising: building a graph based in part on context data about an offense associated with a security system, wherein a node associated with the graph has data representing an observable; locating the observable as being present within a second graph; based on the located observable and its connections being associated with one or more known malicious entities represented in the second graph, wherein at least one connection is a path from a node in the graph to an additional node representing the observable that also passes through the second graph, generating, from the second graph, a subgraph having at least one hypothesis associated therewith; merging the subgraph with the graph to generate a refined graph, wherein the refined graph also includes one or more additional observables supporting the at least one hypothesis; and evaluating the refined graph. 2. The method as described in claim 1 further including: querying the security system for the one or more additional observables. 3. The method as described in claim 1 further including determining a type of the offense and, based at least on the identified type, identifying the context data. 4. The method as described in claim 1 further including extending the graph to include additional nodes representing information that does not relate directly to the offense. 5. The method as described in claim 1 wherein generating at least one subgraph further includes pruning the second graph according to at least one metric. 6. The method as described in claim 1 wherein the security system is a SIEM, and wherein the second graph is derived from structured and unstructured data sources representing general knowledge about security and threat intelligence. 7. An apparatus for processing event data, comprising: a processor; computer memory holding computer program instructions executed by the processor, the computer program instructions configured to: build a graph based in part on context data about an offense associated with a security system, wherein a node associated with the graph has data representing an observable; locate the observable as being present within a second graph; based on the located observable and its connections being associated with one or more known malicious entities represented in the second graph, wherein at least one connection is a path from a node in the graph to an additional node representing the observable that also passes through the second graph, generate, from the second graph, a subgraph having at least one hypothesis associated therewith; merge the subgraph with the graph to generate a refined graph, wherein the refined graph also includes one or more additional observables supporting the at least one hypothesis; and evaluate the refined graph. 8. The apparatus as described in claim 7 further including computer program instructions configured to: query the security system for the one or more additional observables. 9. The apparatus as described in claim 7 further including computer program instructions configured to determine a type of the offense and, based at least on the identified type, identifying the context data. 10. The apparatus as described in claim 7 further including computer program instructions configured to extend the graph to include additional nodes representing information that does not relate directly to the offense. 11. The apparatus as described in claim 7 wherein the computer program instructions configured to generate at least one subgraph further include program instructions configured to prune the second graph according to at least one metric. 12. The apparatus as described in claim 7 wherein the security system is a SIEM, and wherein the second graph is derived from structured and unstructured data sources representing general knowledge about security and threat intelligence. 13. A computer program product in a non-transitory computer readable medium for use in a data processing system for processing security event data in association with a knowledge graph, the computer program product holding computer program instructions that, when executed by the data processing system, are configured to: build a graph based in part on context data about an offense associated with a security system, wherein a node associated with the graph has data representing an observable; locate the observable as being present within a second graph; based on the located observable and its connections being associated with one or more known malicious entities represented in the second graph, wherein at least one connection is a path from a node in the graph to an additional node representing the observable that also passes through the second graph, generate, from the second graph, a subgraph having at least one hypothesis associated therewith; merge the subgraph with the graph to generate a refined graph, wherein the refined graph also includes one or more additional observables supporting the at least one hypothesis; and evaluate the refined graph. 14. The computer program product as described in claim 13 further including computer program instructions configured to: query the security system for the one or more additional observables. 15. The computer program product as described in claim 13 further including computer program instructions configured to determine a type of the offense and, based at least on the identified type, identifying the context data. 16. The computer program product as described in claim 13 further including computer program instructions configured to extend the graph to include additional nodes representing information that does not relate directly to the offense. 17. The computer program product as described in claim 13 wherein the computer program instructions configured to generate at least one subgraph further include program instructions configured to prune the second graph according to at least one metric. 18. The computer program product as described in claim 13 wherein the security system is a SIEM, and wherein the second graph is derived from structured and unstructured data sources representing general knowledge about security and threat intelligence.
Assignees
Inventors
Classifications
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities · CPC title
Test or assess a computer or a system · CPC title
Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity · CPC title
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10958672B2 cover?
- An automated method for processing security events in association with a cybersecurity knowledge graph. The method begins upon receipt of information from a security system representing an offense. An initial offense context graph is built based in part on context data about the offense. The graph also activity nodes connected to a root node; at least one activity node includes an observable. T…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 23 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).