Abstract: Embodiments of the present disclosure provide systems, methods, and non-transitory computer storage media for identifying malicious enterprise behaviors within a large enterprise. At a high level, embodiments of the present disclosure identify sub-graphs of behaviors within an enterprise based on probabilistic and deterministic methods. For example, starting with the node or edge having the highest risk score, embodiments of the present disclosure iteratively crawl a list of neighbors associated with the nodes or edges to identify subsets of behaviors within an enterprise that indicate potentially malicious activity based on the risk scores of each connected node and edge. In another example, embodiments select a target node and traverse the connected nodes via edges until a root-cause condition is met. Based on the traversal, a sub-graph is identified indicating a malicious execution path of traversed nodes with associated insights indicating the meaning or activity of the node.

Abstract: In network security systems, graph-based techniques can be used to analyze data collected for a particular security incident, e.g., a command-and-control incident. In example embodiments, data extracted from data records of network activity and/or security alerts is used to generate a multipartite graph in which different entities (e.g., machines, processes, and domains or IP addresses) are represented as different types of nodes and relationships between the entities are represented as edges. The multipartite graph may be clustered, and the clusters be ranked according to some indicator of maliciousness (e.g., the number of associated security alerts or indicators of compromise (IoCs)). An output generated from the highest-ranking cluster(s) may serve, e.g., to identify new IoCs, or flow into mitigating actions taken in response to the incident.

Abstract: In network security systems, graph-based techniques can be used to analyze data collected for a particular security incident, e.g., a command-and-control incident. In example embodiments, data extracted from data records of network activity and/or security alerts is used to generate a multipartite graph in which different entities (e.g., machines, processes, and domains or IP addresses) are represented as different types of nodes and relationships between the entities are represented as edges. The multipartite graph may be clustered, and the clusters be ranked according to some indicator of maliciousness (e.g., the number of associated security alerts or indicators of compromise (IoCs)). An output generated from the highest-ranking cluster(s) may serve, e.g., to identify new IoCs, or flow into mitigating actions taken in response to the incident.

Abstract: In network security systems, graph-based techniques can be used to analyze data collected for a particular security incident, e.g., a command-and-control incident. In example embodiments, data extracted from data records of network activity and/or security alerts is used to generate a multipartite graph in which different entities (e.g., machines, processes, and domains or IP addresses) are represented as different types of nodes and relationships between the entities are represented as edges. The multipartite graph may be clustered, and the clusters be ranked according to some indicator of maliciousness (e.g., the number of associated security alerts or indicators of compromise (IoCs)). An output generated from the highest-ranking cluster(s) may serve, e.g., to identify new IoCs, or flow into mitigating actions taken in response to the incident.

Abstract: Embodiments of the present disclosure provide systems, methods, and non-transitory computer storage media for identifying malicious enterprise behaviors within a large enterprise. At a high level, embodiments of the present disclosure identify sub-graphs of behaviors within an enterprise based on probabilistic and deterministic methods. For example, starting with the node or edge having the highest risk score, embodiments of the present disclosure iteratively crawl a list of neighbors associated with the nodes or edges to identify subsets of behaviors within an enterprise that indicate potentially malicious activity based on the risk scores of each connected node and edge. In another example, embodiments select a target node and traverse the connected nodes via edges until a root-cause condition is met. Based on the traversal, a sub-graph is identified indicating a malicious execution path of traversed nodes with associated insights indicating the meaning or activity of the node.

Abstract: Embodiments of the present disclosure provide systems, methods, and non-transitory computer storage media for identifying malicious enterprise behaviors within a large enterprise. At a high level, embodiments of the present disclosure identify sub-graphs of behaviors within an enterprise based on probabilistic and deterministic methods. For example, starting with the node or edge having the highest risk score, embodiments of the present disclosure iteratively crawl a list of neighbors associated with the nodes or edges to identify subsets of behaviors within an enterprise that indicate potentially malicious activity based on the risk scores of each connected node and edge. In another example, embodiments select a target node and traverse the connected nodes via edges until a root-cause condition is met. Based on the traversal, a sub-graph is identified indicating a malicious execution path of traversed nodes with associated insights indicating the meaning or activity of the node.

Abstract: Embodiments of the present disclosure provide systems, methods, and non-transitory computer storage media for identifying malicious enterprise behaviors within a large enterprise. At a high level, embodiments of the present disclosure identify sub-graphs of behaviors within an enterprise based on probabilistic and deterministic methods. For example, starting with the node or edge having the highest risk score, embodiments of the present disclosure iteratively crawl a list of neighbors associated with the nodes or edges to identify subsets of behaviors within an enterprise that indicate potentially malicious activity based on the risk scores of each connected node and edge. In another example, embodiments select a target node and traverse the connected nodes via edges until a root-cause condition is met. Based on the traversal, a sub-graph is identified indicating a malicious execution path of traversed nodes with associated insights indicating the meaning or activity of the node.