| 发明名称 | Systems and methods for adjusting suspiciousness scores in event-correlation graphs | ||
| 摘要 | A computer-implemented method for adjusting suspiciousness scores in event-correlation graphs may include (1) detecting a suspicious event involving a first actor and a second actor within a computing system, (2) constructing an event-correlation graph that includes (i) a representation of the first actor, (ii) a representation of the suspicious event, and (iii) a representation of the second actor, and (3) adjusting a suspiciousness score associated with at least one representation in the event-correlation graph based at least in part on a suspiciousness score associated with at least one other representation in the event-correlation graph such that the adjusted suspiciousness score associated with the at least one representation is influenced by the suspicious event. Various other methods, systems, and computer-readable media are also disclosed. | ||
| 申请公布号 | US9148441(B1) | 申请公布日期 | 2015.09.29 |
| 申请号 | US201314138891 | 申请日期 | 2013.12.23 |
| 申请人 | Symantec Corporation | 发明人 | Tamersoy Acar;Roundy Kevin;Bhatkar Sandeep;Khalil Elias |
| 分类号 | H04L29/06;G06F21/57 | 主分类号 | H04L29/06 |
| 代理机构 | ALG Intellectual Property, LLC | 代理人 | ALG Intellectual Property, LLC |
| 主权项 | 1. A computer-implemented method for adjusting suspiciousness scores in event-correlation graphs, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising: detecting a suspicious event involving a first actor and a second actor within a computing system, wherein the suspicious event could not be individually classified as definitively malicious; constructing, after the suspicious event involving the first actor and the second actor is detected, an event-correlation graph, wherein the event-correlation graph comprises at least: a representation of the first actor;a representation of the suspicious event, wherein the representation of the suspicious event and the representation of the first actor are interconnected;a representation of the second actor, wherein the representation of the second actor and the representation of the suspicious event are interconnected;a representation of an additional suspicious event involving the first actor and an additional actor;a representation of the additional actor, wherein: the representation of the first actor and the representation of the additional suspicious event are interconnected;the representation of the additional actor and the representation of the additional suspicious event are interconnected;the additional suspicious event could not be individually classified as definitively malicious;each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious; adjusting a suspiciousness score associated with at least one of an actor represented in the event-correlation graph and a suspicious event represented in the event-correlation graph based at least in part on a suspiciousness score associated with at least one other actor or suspicious event represented in the event-correlation graph such that the adjusted suspiciousness score is influenced by the suspiciousness score associated with the at least one other actor or suspicious event. | ||
| 地址 | Mountain View CA US | ||