Method and apparatus for classifying and combining computer attack information

摘要

A method and apparatus for classifying and combining computer attack information identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other, the method comprising identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other.

主权项

1. A computer-implemented method performed by a computerized device, comprising:
monitoring a set of events in a computer network comprising a multiplicity of entities, wherein the set of events comprises at least one malicious event and at least one non-malicious event; for each event of a multiplicity of events in the set of events, and for each pair of organizationally or functionally distant entities of a multiplicity of entity pairs of the computer network, performing the steps of:
determining by a computer a first distance between entities of the pair, the first distance computed without the event;determining by the computer a second distance between the entities of the pair, the second distance computed with the event; and outputting an indication that the event of the multiplicity of events is a malicious event based on the second distance computing to be smaller than the first distance; wherein determining both the first and second distances between entities of the pair comprises:
determining by the computer a static distance between the two entities, wherein the static distance is defined by the extent 1) that the two entities belong to the same organizational unit or department; and 2) that the two entities share common installed software components; anddetermining by the computer a dynamic distance between the two entities, wherein the dynamic distance is defined by the extent of 1) the number of common privilege changes on each of the entities 2) the number of common websites accessed by users of the entities; and 3) the number of common newly installed software applications on the entities; andcombining the static distance and the dynamic distance to obtain each of the first and second distances; whereby computing the second distance with the event indicates a malicious event when the second distance computes to be smaller than the first distance.