| 发明名称 | Systems and methods for using event-correlation graphs to generate remediation procedures | ||
| 摘要 | A computer-implemented method for using event-correlation graphs to generate remediation procedures may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing, in response to detecting the suspicious event involving the first actor, an event-correlation graph that includes (i) a first node that represents the first actor, (ii) a second node that represents a second actor, and (iii) an edge that interconnects the first node and the second node and represents an additional suspicious event involving the first actor and the second actor, and (3) using the event-correlation graph to generate a procedure for remediating an effect of an attack on the computing system that is reflected in the event-correlation graph. Various other methods, systems, and computer-readable media are also disclosed. | ||
| 申请公布号 | US9256739(B1) | 申请公布日期 | 2016.02.09 |
| 申请号 | US201414221703 | 申请日期 | 2014.03.21 |
| 申请人 | Symantec Corporation | 发明人 | Roundy Kevin Alejandro;Bhatkar Sandeep |
| 分类号 | G06F21/55;H04L29/06;G06F21/56;H04L12/24;G06F21/54 | 主分类号 | G06F21/55 |
| 代理机构 | ALG Intellectual Property, LLC | 代理人 | ALG Intellectual Property, LLC |
| 主权项 | 1. A computer-implemented method for using event-correlation graphs to generate remediation procedures, at least a portion of the method being performed by at least one computing device comprising at least one processor, the method comprising: detecting, by the at least one computing device, a suspicious event involving a first actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious; constructing, by the at least one computing device in response to detecting the suspicious event involving the first actor, an event-correlation graph, wherein: the event-correlation graph comprises at least: a first node that represents the first actor;a second node that represents a second actor; andan edge that interconnects the first node and the second node and represents an additional suspicious event involving the first actor and the second actor;each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious; calculating, by the at least one computing device based at least in part on the additional suspicious event involving the first actor and the second actor, an attack score for the event-correlation graph; determining that the attack score is greater than a predetermined threshold; determining, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event comprises an attack on the computing system; using the event-correlation graph to generate a procedure for remediating an effect of the attack on the computing system. | ||
| 地址 | Mountain View CA US | ||