公开(公告)号：US20230247031A1

公开(公告)日：2023-08-03

申请号：US17649552

申请日：2022-01-31

Applicant: salesforce.com, inc.

Inventor： Anirudh Kondaveeti

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/1425 ,  H04L63/1466 ,  H04L63/20

Abstract: A method for the detection of multi-killchain alerts is disclosed. The method includes receiving, by a computer system, a plurality of alerts indicative of activity within a computer network, wherein a given alert specifies one or more events having attributes, and extracting attributes from events included in the plurality of alerts. The method further includes determining attribute similarity for pairs of events based on whether a given pair of events has common values for one or more attributes and whether attribute values of the given pair of events indicates lateral movement within computers of the computer network. Linked pairs are then identified based on the determined attribute similarity and added to a graph data structure. The method further includes the computer system analyzing the graph data structure to find clusters of events relating to a security attack.

公开(公告)号：US20210120026A1

公开(公告)日：2021-04-22

申请号：US17013209

申请日：2020-09-04

Applicant: salesforce.com, inc.

Inventor： Anirudh Kondaveeti

IPC: H04L29/06

Abstract: Various embodiments of methods for detecting anomalous activity in a computer network are disclosed. A method includes a computer system receiving an indication of a current session establishing a secure channel to a computing device within a network. The computer system evaluates information relating to the current session, as well as information relating to one or more other sessions. Using this information, the computing system performs monitoring to detect the presence of anomalous lateral movement within the network, for example based on detecting multiple user credentials. Based on the evaluating performed, the computer system generates a score for the current session and reports whether the score is indicative of anomalous lateral movement.

公开(公告)号：US11736503B2

公开(公告)日：2023-08-22

申请号：US17013209

申请日：2020-09-04

Applicant: salesforce.com, inc.

Inventor： Anirudh Kondaveeti

IPC: H04L29/06 ,  H04L9/40

CPC classification number: H04L63/1425 ,  H04L63/0272

Abstract: Various embodiments of methods for detecting anomalous activity in a computer network are disclosed. A method includes a computer system receiving an indication of a current session establishing a secure channel to a computing device within a network. The computer system evaluates information relating to the current session, as well as information relating to one or more other sessions. Using this information, the computing system performs monitoring to detect the presence of anomalous lateral movement within the network, for example based on detecting multiple user credentials. Based on the evaluating performed, the computer system generates a score for the current session and reports whether the score is indicative of anomalous lateral movement.

公开(公告)号：US12210621B2

公开(公告)日：2025-01-28

申请号：US17578670

申请日：2022-01-19

Applicant: salesforce.com, inc.

Inventor： Regunathan Radhakrishnan ,  Vijay Erramilli ,  Anirudh Kondaveeti

IPC: G06F21/55 ,  G06N3/08

Abstract: Methods, computer readable media, and devices to automatically construct kill-chain from security alerts are disclosed. One method may include collecting a plurality of security alerts, receiving a selection of a high severity security alert associated with a node and a user from among the plurality of security alerts, creating a security narrative for the high severity security alert by providing a set of historical security alerts to a deep learning architecture, the set including security alerts selected based on a relation to the node and the user, and identifying a subset of the set of historical security alerts, including security alerts relevant to the high severity security alert, in a reverse time order by the deep learning architecture, and providing the security narrative as part of a response to the high severity security alert.

公开(公告)号：US20230229763A1

公开(公告)日：2023-07-20

申请号：US17578670

申请日：2022-01-19

Applicant: salesforce.com, inc.

Inventor： Regunathan Radhakrishnan ,  Vijay Erramilli ,  Anirudh Kondaveeti

IPC: G06F21/55 ,  G06N3/08

CPC classification number: G06F21/554 ,  G06N3/08 ,  G06F2221/034

Abstract: Methods, computer readable media, and devices to automatically construct kill-chain from security alerts are disclosed. One method may include collecting a plurality of security alerts, receiving a selection of a high severity security alert associated with a node and a user from among the plurality of security alerts, creating a security narrative for the high severity security alert by providing a set of historical security alerts to a deep learning architecture, the set including security alerts selected based on a relation to the node and the user, and identifying a subset of the set of historical security alerts, including security alerts relevant to the high severity security alert, in a reverse time order by the deep learning architecture, and providing the security narrative as part of a response to the high severity security alert.

公开(公告)号：US20190387009A1

公开(公告)日：2019-12-19

申请号：US16011487

申请日：2018-06-18

Applicant: salesforce.com, inc.

Inventor： Anirudh Kondaveeti

IPC: H04L29/06

Abstract: Techniques and architectures for privilege escalation detection. User login information for multiple users in a multiuser secure computing environment is analyzed to generate multiple user evaluations. The multiple user evaluations are analyzed to generate at least a population evaluation for the multiuser secure computing environment. Node scores are generated for nodes in the population evaluation to determine one or more entry nodes for the multiple users in the multiuser secure computing environment. The node scores are compared to one or more threshold values to determine whether the user login information corresponding to one or more of the multiple users indicates a privilege escalation condition. A security response action occurs in response to detecting a privilege escalation condition.

公开(公告)号：US11233806B2

公开(公告)日：2022-01-25

申请号：US16011487

申请日：2018-06-18

Applicant: salesforce.com, inc.

Inventor： Anirudh Kondaveeti

IPC: H04L29/06

Abstract: Techniques and architectures for privilege escalation detection. User login information for multiple users in a multiuser secure computing environment is analyzed to generate multiple user evaluations. The multiple user evaluations are analyzed to generate at least a population evaluation for the multiuser secure computing environment. Node scores are generated for nodes in the population evaluation to determine one or more entry nodes for the multiple users in the multiuser secure computing environment. The node scores are compared to one or more threshold values to determine whether the user login information corresponding to one or more of the multiple users indicates a privilege escalation condition. A security response action occurs in response to detecting a privilege escalation condition.