Abstract: In network security systems, graph-based techniques can be used to analyze data collected for a particular security incident, e.g., a command-and-control incident. In example embodiments, data extracted from data records of network activity and/or security alerts is used to generate a multipartite graph in which different entities (e.g., machines, processes, and domains or IP addresses) are represented as different types of nodes and relationships between the entities are represented as edges. The multipartite graph may be clustered, and the clusters be ranked according to some indicator of maliciousness (e.g., the number of associated security alerts or indicators of compromise (IoCs)). An output generated from the highest-ranking cluster(s) may serve, e.g., to identify new IoCs, or flow into mitigating actions taken in response to the incident.

Abstract: In network security systems, graph-based techniques can be used to analyze data collected for a particular security incident, e.g., a command-and-control incident. In example embodiments, data extracted from data records of network activity and/or security alerts is used to generate a multipartite graph in which different entities (e.g., machines, processes, and domains or IP addresses) are represented as different types of nodes and relationships between the entities are represented as edges. The multipartite graph may be clustered, and the clusters be ranked according to some indicator of maliciousness (e.g., the number of associated security alerts or indicators of compromise (IoCs)). An output generated from the highest-ranking cluster(s) may serve, e.g., to identify new IoCs, or flow into mitigating actions taken in response to the incident.

Abstract: In network security systems, graph-based techniques can be used to analyze data collected for a particular security incident, e.g., a command-and-control incident. In example embodiments, data extracted from data records of network activity and/or security alerts is used to generate a multipartite graph in which different entities (e.g., machines, processes, and domains or IP addresses) are represented as different types of nodes and relationships between the entities are represented as edges. The multipartite graph may be clustered, and the clusters be ranked according to some indicator of maliciousness (e.g., the number of associated security alerts or indicators of compromise (IoCs)). An output generated from the highest-ranking cluster(s) may serve, e.g., to identify new IoCs, or flow into mitigating actions taken in response to the incident.