| 发明名称 |
Lateral movement detection |
| 摘要 |
Lateral movement detection may be performed by employing different detection models to score logon sessions. The different detection models may be implemented by and/or utilize counts computed from historical security event data. The different detection models may include probabilistic intrusion detection models for detecting compromised behavior based on logon behavior, a sequence of security events observed during a logon session, inter-event time between security events observed during a logon session, and/or an attempt to logon using explicit credentials. Scores for each logon session that are output by the different detection models may be combined to generate a ranking score for each logon session. A list of ranked alerts may be generated based on the ranking score for each logon session to identify compromised authorized accounts and/or compromised machines. An attack graph may be automatically generated based on compromised account-machine pairs to visually display probable paths of an attacker. |
| 申请公布号 |
US9591006(B2) |
申请公布日期 |
2017.03.07 |
| 申请号 |
US201414490594 |
申请日期 |
2014.09.18 |
| 申请人 |
Microsoft Technology Licensing, LLC |
发明人 |
Siva Kumar Ram Shankar;Vu Nguyen Song Khanh;DiPlacido Marco;Nair Vinod;Das Aniruddha;Swann Matt;Selvaraj Keerthi;Sellamanickam Sundararajan |
| 分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
Gupta Anand;Wong Tom;Minhas Micky |
| 主权项 |
1. A computer-implemented method for performing network intrusion detection in a computer network having multiple computing devices, the method comprising:
receiving logon session data related to activities performed related to an authorized account during a logon session on a computing device in the computer network, the logon session data including data representing security events triggered during the logon session in response to the authorized account accessing a computing device in the computer network; deriving multiple probabilities of intrusion related to the logon session based on a comparison of the logon session data with distinct combinations of security event variables and a historical occurrence value of the individual distinct combinations of the security event variables, the individual probabilities of intrusion indicating whether one or more security events related to the logon session are indicative of a compromised behavior; and indicating at least one of the authorized account or the computing device of the computer network corresponding to the logon session as comprised based on a combination of the derived multiple probabilities of intrusion related to the logon session. |
| 地址 |
Redmond WA US |
