Abstract: Systems and methods for detecting malicious behavior in a network by analyzing process interaction ratios (PIRs) are provided. According to one embodiment, information regarding historical process activity is maintained. The historical process activity includes information regarding various processes hosted by computing devices of a private network. Information regarding process activity within the private network is received for a current observation period. For each process, for each testing time period of a number of testing time periods within the current observation period, a PIR is determined based on (i) a number of unique computing devices that hosted the process and (ii) a number of unique users that executed the process. A particular process is identified as potentially malicious when a measure of deviation of the PIR of the particular process from a historical PIR mean of the particular process exceeds a pre-defined or configurable threshold during a testing time period.

Abstract: Systems and methods for detecting malicious behavior in a network by analyzing process interaction ratios (PIRs) are provided. According to one embodiment, information regarding historical process activity is maintained. The historical process activity includes information regarding various processes hosted by computing devices of a private network. Information regarding process activity within the private network is received for a current observation period. For each process, for each testing time period of a number of testing time periods within the current observation period, a PIR is determined based on (i) a number of unique computing devices that host the process and (ii) a number of unique users that have executed the process. A particular process is identified as potentially malicious when a measure of deviation of the PIR of the particular process from a historical PIR mean of the particular process exceeds a pre-defined or configurable threshold during a testing time period.

Abstract: Systems and methods for analyzing user behavior patterns to detect compromised computing devices in an enterprise network are provided. According to one embodiment, an enforcement engine running on a network security device, identifies top users of a network exhibiting a suspicious behavior relating to login failures by determining a first set of users having a number of login failure events during a given time duration exceeding a threshold. The enforcement engine identifies from the first set of computers associated with the top users, a second set of computers exhibiting a suspicious behavior relating to new connections exceeding a threshold. The enforcement engine classifies a third set of computers, representing a subset of the second set exhibiting a suspicious behavior relating to consecutive new connections, as compromised source computers when their respective new connections are in a sequence that results in a Shannon entropy measure exceeding a threshold.

Abstract: Systems and methods for adaptively provisioning a distributed event data store of a multi-tenant architecture are provided. According to one embodiment, a managed security service provider (MSSP) maintains a distributed event data store on behalf of each tenant of the MSSP. For each tenant, the MSSP periodically determines a provisioning status for a current active partition of the distributed event data store of the tenant. Further, when the determining indicates an under-provisioning condition exits, the MSSP dynamically increases number of resource provision units (RPUs) to be used for a new partition to be added to the partitions for the tenant by a first adjustment ratio. While, when the determining indicates an over-provisioning condition exists, the MSSP dynamically decreases the number of RPUs to be used for subsequent partitions added to the partitions for the tenant by a second adjustment ratio.

Abstract: Systems and methods for adaptively provisioning a distributed event data store of a multi-tenant architecture are provided. According to one embodiment, a managed security service provider (MSSP) maintains a distributed event data store on behalf of each tenant of the MSSP. For each tenant, the MSSP periodically determines a provisioning status for a current active partition of the distributed event data store of the tenant. Further, when the determining indicates an under-provisioning condition exits, the MSSP dynamically increases number of resource provision units (RPUs) to be used for a new partition to be added to the partitions for the tenant by a first adjustment ratio. While, when the determining indicates an over-provisioning condition exists, the MSSP dynamically decreases the number of RPUs to be used for subsequent partitions added to the partitions for the tenant by a second adjustment ratio.

Abstract: Systems and methods for detecting malicious behavior in a network by analyzing process interaction ratios (PIRs) are provided. According to one embodiment, information regarding historical process activity is maintained. The historical process activity includes information regarding various processes hosted by computing devices of a private network. Information regarding process activity within the private network is received for a current observation period. For each process, for each testing time period of a number of testing time periods within the current observation period, a PIR is determined based on (i) a number of unique computing devices that host the process and (ii) a number of unique users that have executed the process. A particular process is identified as potentially malicious when a measure of deviation of the PIR of the particular process from a historical PIR mean of the particular process exceeds a pre-defined or configurable threshold during a testing time period.

Abstract: Systems and methods for adaptively provisioning a distributed event data store of a multi-tenant architecture are provided. According to one embodiment, a managed security service provider (MSSP) maintains a distributed event data store on behalf of each tenant of the MSSP. For each tenant, the MSSP periodically determines a provisioning status for a current active partition of the distributed event data store of the tenant. Further, when the determining indicates an under-provisioning condition exits, the MSSP dynamically increases number of resource provision units (RPUs) to be used for a new partition to be added to the partitions for the tenant by a first adjustment ratio. While, when the determining indicates an over-provisioning condition exists, the MSSP dynamically decreases the number of RPUs to be used for subsequent partitions added to the partitions for the tenant by a second adjustment ratio.

Abstract: Network identity to User Identity and location mapping information can be found in various logs (such as Active Directory logs, DHCP logs, VPN logs, and WLAN authentication logs) and certain files such as router Layer 2 or 3 forwarding tables. For a large organization, this mapping can be dynamic. Accurate user identity and location information is crucial to assessing the security risk associated with a host and take corrective action. This invention discloses a distributed in-memory user database update methodology for keeping track of large scale dynamically updating network to user identity mappings. The technique is further configurable for specific users, specific devices or for specific attributes in the metadata.

Abstract: Systems and methods for analyzing user behavior patterns to detect compromised computing devices in an enterprise network are provided. According to one embodiment, an enforcement engine running on a network security device, identifies top users of a network exhibiting a suspicious behavior relating to login failures by determining a first set of users having a number of login failure events during a given time duration exceeding a threshold. The enforcement engine identifies from the first set of computers associated with the top users, a second set of computers exhibiting a suspicious behavior relating to new connections exceeding a threshold. The enforcement engine classifies a third set of computers, representing a subset of the second set exhibiting a suspicious behavior relating to consecutive new connections, as compromised source computers when their respective new connections are in a sequence that results in a Shannon entropy measure exceeding a threshold.

Abstract: Metadata is received for different log events, from a plurality of regional controller nodes, implemented at least partially in hardware and geographically-dispersed around the data communication network for proximity to network devices. Each of the log events is reported by the network devices to a regional collector node of the plurality of regional controller nodes. Log events concerning a user authenticating to a network device that is geographically proximate to the user and comprising at least user identity aspect and a location aspect for specific users of stations serviced by the network devices, are detected. Feasibility of location changes can be determined to identify possible identity theft.

Abstract: Dynamic reporting rates for a log management system are adaptively allocated. Each individual controller node device of plurality of controller nodes is initially allocated an EPS rate limit for submitting event records to a log management system (e.g., an SIEM log management system) out of a licensed EPS rate. When surges are detected, the log management system dynamically reallocates proportions of EPS rates, within the licensed EPS rate. The individual EPS rate limit for at least one collector node is adjusted in real-time for a specific controller node based on under usage by other collector nodes. Another technique is to prioritize or weight events causing the surge to determine adjustments to EPS rate.

Abstract: Dynamic reporting rates for a log management system are adaptively allocated. Each individual controller node device of plurality of controller nodes is initially allocated an EPS rate limit for submitting event records to a log management system (e.g., an SIEM log management system) out of a licensed EPS rate. When surges are detected, the log management system dynamically reallocates proportions of EPS rates, within the licensed EPS rate. The individual EPS rate limit for at least one collector node is adjusted in real-time for a specific controller node based on under usage by other collector nodes. Another technique is to prioritize or weight events causing the surge to determine adjustments to EPS rate.

Abstract: Event record purging is selectively enforced in a high volume log system. A plurality of data retention policies is received for one or more data types. Each data retention policy can describe a retention duration for enforcement of different data types with respect to online retention and offline retention. Only online compressed file from a period of time potentially containing event records with an expiring retention duration are uncompressed. Other files are ignored to save I/O bandwidth for supporting queries of event records. Some implementations search records using the index as well.

Abstract: Dynamic reporting rates for a log management system are adaptively allocated. Each individual controller node device of plurality of controller nodes is initially allocated an EPS rate limit for submitting event records to a log management system (e.g., an SIEM log management system) out of a licensed EPS rate. When surges are detected, the log management system dynamically reallocates proportions of EPS rates, within the licensed EPS rate. The individual EPS rate limit for at least one collector node is adjusted in real-time for a specific controller node based on under usage by other collector nodes. Another technique is to prioritize or weight events causing the surge to determine adjustments to EPS rate.

Abstract: Metadata is received for different log events, from a plurality of regional controller nodes, implemented at least partially in hardware and geographically-dispersed around the data communication network for proximity to network devices. Each of the log events is reported by the network devices to a regional collector node of the plurality of regional controller nodes. Log events concerning a user authenticating to a network device that is geographically proximate to the user and comprising at least user identity aspect and a location aspect for specific users of stations serviced by the network devices, are detected. Feasibility of location changes can be determined to identify possible identity theft.

Abstract: Network identity to User Identity and location mapping information can be found in various logs (such as Active Directory logs, DHCP logs, VPN logs, and WLAN authentication logs) and certain files such as router Layer 2 or 3 forwarding tables. For a large organization, this mapping can be dynamic. Accurate user identity and location information is crucial to assessing the security risk associated with a host and take corrective action. This invention discloses a distributed in-memory user database update methodology for keeping track of large scale dynamically updating network to user identity mappings. The technique is further configurable for specific users, specific devices or for specific attributes in the metadata.

Abstract: Event record purging is selectively enforced in a high volume log system. A plurality of data retention policies is received for one or more data types. Each data retention policy can describe a retention duration for enforcement of different data types with respect to online retention and offline retention. Only online compressed file from a period of time potentially containing event records with an expiring retention duration are uncompressed. Other files are ignored to save I/O bandwidth for supporting queries of event records. Some implementations search records using the index as well.

Abstract: Dynamic reporting rates for a log management system are adaptively allocated. Each individual controller node device of plurality of controller nodes is initially allocated an EPS rate limit for submitting event records to a log management system (e.g., an SIEM log management system) out of a licensed EPS rate. When surges are detected, the log management system dynamically reallocates proportions of EPS rates, within the licensed EPS rate. The individual EPS rate limit for at least one collector node is adjusted in real-time for a specific controller node based on under usage by other collector nodes. Another technique is to prioritize or weight events causing the surge to determine adjustments to EPS rate.

Abstract: In a method and system for aggregating event information, events are received at a first plurality of nodes in a distributed system. For the events received at each node aggregated attribute information is determined in accordance with two or more rules and stored in distinct first tables, each table storing aggregated attribute information for a respective rule of the two or more rules. At each node of the first plurality of nodes, the two or more distinct first tables are transmitted to a respective node of a second set of nodes in the distributed system. At each node of the second set of nodes, two or more distinct second tables are generated by merging the aggregated attribute information in the tables transmitted to the node. Each rule of the two or more rules is evaluating using the aggregated attribute information obtained from a corresponding table of the second tables.

Abstract: A network security monitor system groups a plurality of security events into network sessions, correlates the network sessions according to a set of predefined network security event correlation rules and generates a security incident for the network sessions that satisfy one of the network security event correlation rules. The system then presents the information of the network sessions and security incidents to a user of the system in an intuitive form. The user is able to not only learn the details of a possible network attack, but also creates new security event correlation rules intuitively, including drop rules for dropping a particular type of events.