US-12621327-B1 - Detection of anomalous activities in an enterprise network

Abstract

An enterprise network has network assets, with each network asset having a network interface. A network graph has the network assets as nodes and connections between network interfaces of network assets as edges. An activity graph has nodes and edges, with each node representing a logical resource that performs an activity on the enterprise network, and each edge representing a relationship between the logical resources. Subgraphs of the activity graph are aligned to subgraphs of the network graph to create a mapping based on network assets associated with activities. Activity subgraphs that are aligned to the same network subgraph are compared for similarity to detect anomalous activities. The network graph is displayed at different hierarchical levels as a visualization on a display screen, with risk assessments overlayed on corresponding nodes on the visualization.

Inventors

• Michael Dysart
• Partheeban Chandrasekaran

Assignees

• TREND MICRO INCORPORATED

Dates

Publication Date

20260505

Application Date

20240220

Claims (9)

1. 1 . A method of detecting anomalous activities in an enterprise network, the method comprising: transforming network attributes of network assets of an enterprise network into a network graph, each of the network assets comprising a computing component with a network interface; transforming activities that occurred on the enterprise network into an activity graph; aligning activity subgraphs of the activity graph to network subgraphs of the network graph based on network assets that are associated with activities represented in the activity subgraphs; determining similarity of a target activity subgraph to other activity subgraphs that are aligned to a same network subgraph as the target activity subgraph; and detecting that activities represented in the target activity subgraph are anomalous based at least in response to the target activity subgraph not being similar to any of the other activity subgraphs that are aligned to the same network subgraph as the target activity subgraph.
2. 2 . The method of claim 1 , further comprising: identifying hierarchical subgraphs of the network graph to find the network subgraphs; and identifying hierarchical subgraphs of the activity graph to find the activity subgraphs.
3. 3 . The method of claim 1 , wherein aligning the activity subgraphs of the activity graph to the network subgraphs of the network graph includes: calculating Jaccard similarity values of the activity subgraphs of the activity graph and the network subgraphs of the network graph; and mapping activity subgraphs to similar network subgraphs based on the Jaccard similarity values.
4. 4 . The method of claim 1 , further comprising: describing each of the network subgraphs with a vector; and clustering the network subgraphs based on corresponding vectors of the network subgraphs.
5. 5 . The method of claim 1 , further comprising: displaying the network graph as a visualization on a display screen of an endpoint computer; on the visualization, displaying a set of network subgraphs of the network graph as a common node; and on the visualization, expanding the common node to display the set of network subgraphs in response to selection of the common node by a user of the endpoint computer.
6. 6 . The method of claim 5 , further comprising: overlaying an aggregation of risk assessments of the set of network subgraphs on the common node.
7. 7 . An enterprise network comprising: a plurality of network assets, each of the plurality of network assets comprising a computing component with a network interface; a backend system comprising at least one processor and a memory, the memory of the backend system storing instructions that when executed by the at least one processor of the backend system cause the backend system to: receive network attributes of the plurality of network assets; transform the network attributes into a network graph; receive events data of a plurality of activities on the enterprise network; transform the plurality of activities into an activity graph; create an alignment graph that maps activity subgraphs of the activity graph to network subgraphs of the network graph; determine similarity of a target activity subgraph to other activity subgraphs that are aligned to a same network subgraph as the target activity subgraph in the alignment graph; and detect that activities represented in the target activity subgraph are anomalous based at least in response to the target activity subgraph not being similar to any of the other activity subgraphs that are aligned to the same network subgraph as the target activity subgraph; and an endpoint computer comprising a display screen, at least one processor, and a memory, the memory of the endpoint computer storing instructions that when executed by the at least one processor of the endpoint computer cause the endpoint computer to display the network graph as a visualization on the display screen.
8. 8 . The system of claim 7 , wherein the instructions stored in the memory of the endpoint computer when executed by the at least one processor of the endpoint computer cause the endpoint computer to: on the visualization, display a set of network subgraphs of the network graph as a common node; and on the visualization, expand the common node to display the set of network subgraphs in response to selection of the common node by a user of the endpoint computer.
9. 9 . The system of claim 7 , wherein the instructions stored in the memory of the endpoint computer when executed by the at least one processor of the endpoint computer cause the endpoint computer to overlay an aggregation of risk assessments on the common node on the visualization.

Description

TECHNICAL FIELD The present disclosure is directed to cybersecurity. BACKGROUND Enterprises maintain computer networks that connect a multitude of computers across multiple geographic regions and availability zones. An enterprise network can include a large number of backend servers that run in the cloud or on premises and connected to an even larger number of internal and external clients that run on machines in other locations. Needless to say, today's enterprise networks are very complicated, and understanding the relationships between network assets on an enterprise network to identify vulnerabilities can be extremely difficult. Unfortunately, enterprise networks are under constant threat of cyberattacks. Although there are commercially-available cybersecurity components for monitoring the enterprise network for potential cyber threats, the amount of security-related information the cybersecurity components generate can be overwhelming. More particularly, cybersecurity components can assess the security risks in an enterprise network, but the assessment is presented in a form that is difficult to understand due to the size and complexity of the enterprise network. Risk assessments may be included as items in a list. Listing can be effective, especially when combined with sorting and filtering. However listing often fails to provide context. That is, it is often difficult to understand which items in a list are related. It is not realistic to expect security personnel to browse lists that have hundreds of thousands of items. It can be difficult to browse and produce an overview from a plain list. Searching risk assessments with queries is a powerful way to find items of interest. However, searching with queries requires upfront knowledge about what information might be available or useful. Security personnel typically need years of experience to effectively perform the search. Also, the result of the search is often a list, which as noted can be difficult to use and interpret. Network graphs are a way to visualize network connections. Larger network graphs that contain hundreds of thousands of nodes are often difficult to understand, so risk assessments presented as part of conventional network graphs do not provide understandable insight to the security risks of the enterprise network. Knowledge graphs are a way to visualize related information across different domains. Knowledge graphs often require an item of interest, which is usually chosen from a list. The number of items shown are usually small, since each item contains its own related information across domains, which often causes the amount of information to be displayed to be even larger per item compared to more focused graphs. Architecture diagrams are a way to gain an overview of how the enterprise network works. Architecture diagrams are manually created by system architects and may not reflect real world implementation. They are at higher level and are meant to aid in understanding the overall network. Architecture diagrams are often accompanied with short narratives embedded in the diagram to further aid in understanding. However, architecture diagrams are often focused more on how the network works, and not security risks of the network. What is needed is a way for security personnel to readily evaluate risk assessments and be alerted of anomalous activities in the enterprise network. BRIEF SUMMARY In one embodiment, an enterprise network has network assets, with each network asset having a network interface. A network graph has the network assets as nodes and connections between network interfaces of network assets as edges. An activity graph has nodes and edges, with each node representing a logical resource that performs an activity on the enterprise network, and each edge representing a relationship between the logical resources. Subgraphs of the activity graph are aligned to subgraphs of the network graph to create a mapping based on network assets associated with activities. Activity subgraphs that are aligned to the same network subgraph are compared for similarity to detect anomalous activities. The network graph is displayed at different hierarchical levels as a visualization on a display screen, with risk assessments overlayed on corresponding nodes on the visualization. These and other features of the present disclosure will be readily apparent to persons of ordinary skill in the art upon reading the entirety of this disclosure, which includes the accompanying drawings and claims. BRIEF DESCRIPTION OF THE DRAWINGS A more complete understanding of the subject matter may be derived by referring to the detailed description and claims when considered in conjunction with the following figures, wherein like reference numbers refer to similar elements throughout the figures. FIG. 1 shows a block diagram of an enterprise network, in accordance with an embodiment of the present invention. FIG. 2 shows a flow diagram of a method of dete