Detecting Cyber Attacks by Correlating Alerts Sequences in a Cluster Environment
US-2018248893-A1 · Aug 30, 2018 · US
Endpoint detection and response attack process tree auto-play
US12093387B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12093387-B2 |
| Application number | US-202117303415-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 28, 2021 |
| Priority date | Nov 30, 2018 |
| Publication date | Sep 17, 2024 |
| Grant date | Sep 17, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A computer receives one or more security alerts. The computer selects a subset of the one or more security alerts for processing. The computer executes one or more queries automatically, based on the subset of the one or more security alerts. The computer identifies one or more related processes, wherein the one or more related processes are related to information contained within the subset of the one or more security alerts. The computer displays a full flow of a malware attack, wherein the full flow includes the information contained within the subset of the one or more security alerts and the one or more related processes.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method for automated endpoint detection and response, the method comprising: receiving security alerts; executing one or more queries automatically, on at least one security alert of the security alerts; identifying related processes based on contents of the one of the security alerts, wherein the related processes are related to information contained within the at least one security alert subset of the security alerts; running queries in the one or more queries in an iterative manner, to identify all child processes and all parent processes for each process in the related processes; determining whether the at least one security alert of the security alerts correlates to other security alerts in the security alerts based on the related processes and child processes and parent processes for each process in the related process; receiving an additional security alert in response to determining that the at least one security alert of the security alerts does not correlate to other security alerts in the security alerts; linking the additional security alert with the at least one security alert of the security alerts based on the identified related processes and contents for the additional security alert and the at least one security alert of the security alerts; and displaying a full flow of a malware attack in form of a process tree, wherein the full flow of a malware attack comprising the additional security alert and the at least one security alert of the security alerts, and the information contained within the at least one security alert of the security alerts and the related processes, and wherein the process tree presents all child processes and all parent processes for each process in the related processes. 2. The method of claim 1 , further comprising: determining a type of alert for each of the security alerts of the at least one security alert of the one or more security alerts. 3. The method of claim 2 , wherein the executing one or more queries automatically is further based on the type of alert for each of the security alerts of the at least one security alert of the one or more security alerts. 4. The method of claim 1 , wherein the one or more security alerts and the additional security alert are assigned with priority values, wherein queries for security alerts with higher priority values are executed before queries for security alerts with lower priority values. 5. The method of claim 1 , further comprising: providing an initial response to the malware attack. 6. The method of claim 5 , wherein the initial response to the malware attack is an action taken automatically to quarantine one or more files. 7. The method of claim 5 , wherein the initial response to the malware attack is a suggested course of action presented to a user. 8. A system for automated endpoint detection and response, the system comprising: one or more processors; and a memory communicatively coupled to the one or more processors, wherein the memory comprises instructions which, when executed by the one or more processors, cause the one or more processors to perform a method comprising: receiving security alerts; executing one or more queries automatically, on at least one security alert of the security alerts; identifying related processes based on contents of the one of the security alerts, wherein the related processes are related to information contained within the at least one security alert subset of the security alerts; running queries in the one or more queries in an iterative manner, to identify all child processes and all parent processes for each process in the related processes; determining whether the at least one security alert of the security alerts correlates to other security alerts in the security alerts based on the related processes and child processes and parent processes for each process in the related process; receiving an additional security alert in response to determining that the at least one security alert of the security alerts does not correlate to other security alerts in the security alerts; linking the additional security alert with the at least one security alert of the security alerts based on the identified related processes and contents for the additional security alert and the at least one security alert of the security alerts; and displaying a full flow of a malware attack in form of a process tree, wherein the full flow of a malware attack comprising the additional security alert and the at least one security alert of the security alerts, and the information contained within the at least one security alert of the security alerts and the related processes, and wherein the process tree presents all child processes and all parent processes for each process in the related processes. 9. The system of claim 8 , further comprising: determining a type of alert for each of the security alerts of the at least one security alert of the one or more security alerts. 10. The system of claim 9 , wherein the executing one or more queries automatically is further based on the type of alert for each of the security alerts of the at least one security alert of the one or more security alerts. 11. The system of claim 8 , wherein the one or more security alerts and the additional security alert are assigned with priority values, wherein queries for security alerts with higher priority values are executed before queries for security alerts with lower priority values. 12. The system of claim 8 , further comprising: providing an initial response to the malware attack. 13. The system of claim 12 , wherein the initial response to the malware attack is an action taken automatically to quarantine one or more files. 14. The system of claim 12 , wherein the initial response to the malware attack is a suggested course of action presented to a user. 15. A computer program product for automated endpoint detection and response, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, wherein the computer readable storage medium is not a transitory signal per se, the program instructions executable by a computer to perform a method comprising: receiving security alerts; executing one or more queries automatically, on at least one security alert of the security alerts; identifying related processes based on contents of the one of the security alerts, wherein the related processes are related to information contained within the at least one security alert subset of the security alerts; running queries in the one or more queries in an iterative manner, to identify all child processes and all parent processes for each process in the related processes; determining whether the at least one security alert of the security alerts correlates to other security alerts in the security alerts based on the related processes and child processes and parent processes for each process in the related process; receiving an additional security alert in response to determining that the at least one security alert of the security alerts does not correlate to other security alerts in the security alerts; linking the additional security alert with the at least one security alert of the security alerts based on the identified related processes and contents for the additional security alert and the at least one security alert of the security alerts; and displaying a full flow of a malware attack in form of a process tree, wherein the full flow of a malware attack comprising the additional security alert and the at least one
Assignees
Inventors
Classifications
- G06F21/554Primary
involving event detection and direct action · CPC title
Test or assess a computer or a system · CPC title
- G06F21/566Primary
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12093387B2 cover?
- A computer receives one or more security alerts. The computer selects a subset of the one or more security alerts for processing. The computer executes one or more queries automatically, based on the subset of the one or more security alerts. The computer identifies one or more related processes, wherein the one or more related processes are related to information contained within the subset of…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification G06F21/554. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Sep 17 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).