Search

US-12627700-B2 - Behavior-based asset classifications

US12627700B2US 12627700 B2US12627700 B2US 12627700B2US-12627700-B2

Abstract

Techniques, systems, and computer-readable media for dynamic behavior-based asset classification are described herein. An asset classification system can detect and receive data associated with a host computer, determine, based on the data, a behavior associated with the host computer, assign the host computer a server classification based on the determination that the behavior represents a behavior of focus, and record the assigned server classification associated with the host computer. In various examples, the asset classification system can determine the behavior is a behavior of focus based on one or more of: a number of connections to other computers associated with a shared customer identifier, a number of unique other host computers connecting to the host computer, and/or a number of unique non-local accounts that have logged in to the host computer, and that the host computer has had an inbound connection on a common port.

Inventors

  • Ryan INGHILTERRA
  • SHAEFER DREW
  • Michael Brautbar

Assignees

  • CROWDSTRIKE, INC.

Dates

Publication Date
20260512
Application Date
20231219

Claims (20)

  1. 1 . A system comprising: distributed computing resources, each distributed computing resource including one or more processors for distributedly share resources, balance load, provide fail-over support, and provide redundancy among the distributed computing resources; and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed, configure the one or more processors of the distributed computing resources to distributedly function to: detect data representing behavior associated with a host computer; determine, based on the data associated with the host computer, at least one behavior associated with the host computer; automatically assign the host computer a server classification, to create an assigned server classification, based on the determination that the at least one behavior associated with the host computer represents a behavior of focus being above a threshold; and record the assigned server classification associated with the host computer.
  2. 2 . The system as claim 1 recites, the system further comprising computer-executable instructions that, when executed, further configure the one or more processors to: determine that the host computer has had a number of connections to other computers associated with a shared customer identifier; determine whether the number of connections to the other computers associated with the shared customer identifier is above the threshold; and wherein the at least one behavior associated with the host computer includes the number of connections from a plurality of computers associated with the shared customer identifier being above the threshold and the server classification is assigned based on the number of connections from the plurality of computers being above the threshold indicates the behavior of focus.
  3. 3 . The system as claim 2 recites, wherein the number of connections includes an average number of connections during a period of time.
  4. 4 . The system as claim 3 recites, wherein the average number of connections is determined per entity as identified by the shared customer identifier.
  5. 5 . The system as claim 3 recites, wherein the period of time is an hour.
  6. 6 . The system as claim 3 recites, wherein: the period of time is a first period of time; and the threshold represents a threshold percentage corresponding to the plurality of computers associated with the shared customer identifier that have had a network connection in a second period of time.
  7. 7 . The system as claim 1 recites, wherein the threshold is a first threshold, the system further comprising computer-executable instructions that, when executed, configure the one or more processors to: determine, based on the data associated with the host computer, a number of unique other host computers connecting to the host computer; determine whether the number of unique other host computers connecting to the host computer is above a second threshold; and wherein the at least one behavior associated with the host computer includes the number of unique other host computers connecting to the host computer being above the second threshold and the server classification is assigned based on the number of unique other host computers connected to the host computer being above the second threshold indicates the behavior of focus.
  8. 8 . The system as claim 7 recites, wherein the number of unique hosts connecting is based on connections from unique hosts during a period of time.
  9. 9 . The system as claim 8 recites, wherein the period of time is a period of seven days.
  10. 10 . The system as claim 9 recites, wherein the second threshold represents a percentage corresponding to at least one of: a top 10%, a top 5%, or a top 1%, of a plurality of computers associated with a shared customer identifier that have had a network connection during a period of time.
  11. 11 . The system as claim 1 recites, wherein the threshold is a first threshold, the system further comprising computer-executable instructions that, when executed, configure the one or more processors to: determine, based on the data associated with the host computer, a number of unique non-local accounts that have logged in to the host computer is equal to or greater than a third threshold; determine, based on the data associated with the host computer, that the host computer has had an inbound connection on a common port; and wherein the at least one behavior associated with the host computer includes the number of unique non-local accounts that have logged in to the host computer being equal to or greater than the third threshold and that the host computer has had the inbound connection on the common port and the server classification is assigned based on the number of unique non-local accounts that have logged in to the host computer being equal to or greater than the third threshold and that the host computer has had the inbound connection on the common port, which indicates the behavior of focus.
  12. 12 . The system as claim 11 recites, wherein the system is configured to determine the number of unique non-local accounts that have logged in to the host computer over a predefined period of time.
  13. 13 . The system as claim 11 recites, wherein the third threshold is one.
  14. 14 . The system as claim 11 recites, wherein the common port is one of a plurality of common ports including one or more of port 22, port 443, port 80, port 8080, port 25, port 53, port 3389, port 143, port 993, or port 587.
  15. 15 . The system as claim 11 recites, the system further comprising computer-executable instructions that, when executed, further configure the one or more processors to classify the host computer as one or more subtypes of servers including: a dynamic host configuration protocol (DHCP) server based on the host computer having at least one inbound connection on port 67 or port 68 that is not a broadcast connection; a domain name system (DNS) server based on the host computer having at least one of: an inbound connection on port 53, at least one application installed including a predetermined word in a name of the host computer, or less than a predetermined percentage of sources that are scanners; a file transfer protocol (FTP) server based on the host computer having at least one inbound connection on port 21, port 20, port 989, or port 990; a secure shell host (SSH) server based on the host computer having at least one inbound connection on port 22; or a web server based on the host computer having: at least one inbound connection on port 80 or port 443, and less than a predetermined percentage of sources that are scanners.
  16. 16 . A non-transitory computer-readable medium comprising: an interface configured to operably connect the non-transitory computer-readable medium to one or more processors of distributed computing resources, each distributed computing resource including one or more processors for distributedly share resources, balance load, provide fail-over support, and provide redundancy among the distributed computing resources; and instructions stored on the non-transitory computer-readable medium and executable by the one or more processors of the distributed computing resources, the instructions, when executed, to configure the one or more processors of the distributed computing resources to distributedly perform operations comprising: detect data associated with a host computer; determine, based on the data associated with the host computer, at least one behavior associated with the host computer; automatically assign the host computer a server classification based on the determination that the at least one behavior associated with the host computer represents a behavior of focus being above a threshold; and record the server classification associated with the host computer.
  17. 17 . The non-transitory computer-readable medium as claim 16 recites, the instructions, when executed, to configure the one or more processors to distributedly perform operations further comprising at least one of: to identify a number of connections, to identify a number of unique other hosts connecting, or to identify the host computer as an asset operating as a server: identify the number of connections by: determining that the host computer has had a number of connections to other computers associated with a shared customer identifier; determining whether the number of connections to other computers associated with the shared customer identifier is above the threshold, wherein the threshold is a first threshold; and wherein the at least one behavior associated with the host computer includes the number of connections to a plurality of computers associated with the shared customer identifier being above the first threshold; identify the number of unique other hosts connecting by: determining, based on the data associated with the host computer, a number of unique other host computers connecting to the host computer; determining whether the number of unique other host computers connecting to the host computer is above a second threshold; and wherein the at least one behavior associated with the host computer include the number of unique other host computers connecting to the host computer being above the second threshold; and identify the host computer as the asset operating as the server by: determining, based on the data associated with the host computer, a number of unique non-local accounts that have logged in to the host computer is above a third threshold; determining, based on the data associated with the host computer, that the host computer has had an inbound connection on a common port; wherein the at least one behavior associated with the host computer include the number of unique non-local accounts that have logged in to the host computer being above the third threshold and that the host computer has had the inbound connection on the common port.
  18. 18 . A system comprising: one or more processors; and an interface configured to communicatively couple the one or more processors to the non-transitory computer-readable medium as claim 17 recites.
  19. 19 . A method, performed by distributed computing resources, each distributed computing resource including one or more processors for distributedly share resources, balance load, provide fail-over support, and provide redundancy among the distributed computing resources, comprising: receiving data associated with a host computer; determining, based on the data associated with the host computer, at least one behavior associated with the host computer; automatically assigning the host computer a server classification based on the determination that the at least one behavior associated with the host computer represents a behavior of focus being above a threshold; and recording the server classification associated with the host computer.
  20. 20 . The method as claim 19 recites, further comprising at least one of: identifying a number of connections, identifying a number of unique other hosts connecting, or identifying the host computer as an asset operating as a server: identifying the number of connections by: determining that the host computer has had a number of connections to other computers associated with a shared customer identifier; determining whether the number of connections to the other computers associated with the shared customer identifier is above the threshold, wherein the threshold is a first threshold; and wherein the at least one behavior associated with the host computer includes the number of connections to a plurality of computers associated with the shared customer identifier being above the first threshold; identifying the number of unique other hosts connecting by: determining, based on the data associated with the host computer, a number of unique other host computers connecting to the host computer; determining whether the number of unique other host computers connecting to the host computer is above a second threshold; and wherein the at least one behavior associated with the host computer include the number of unique other host computers connecting to the host computer being above the second threshold; and identifying the host computer as the asset operating as the server by: determining, based on the data associated with the host computer, a number of unique non-local accounts that have logged in to the host computer is above a third threshold; determining, based on the data associated with the host computer, that the host computer has had an inbound connection on a common port; and wherein the at least one behavior associated with the host computer include the number of unique non-local accounts that have logged in to the host computer being above the third threshold and that the host computer has had the inbound connection on the common port.

Description

BACKGROUND Security analysts face an increasing number of alerts about software vulnerabilities and network vulnerabilities. Vulnerability management software has been helpful in more efficiently surfacing vulnerabilities. However, it also contributes to a problematic rise in alert fatigue for these security analysts from the increasingly overwhelming number of alerts. BRIEF DESCRIPTION OF THE DRAWINGS The detailed description is described with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical components or features. The systems depicted in the accompanying figures are not to scale and components within the figures may be depicted not to scale with each other. FIG. 1 illustrates a system-architecture diagram of an environment in which dynamic behavior-based asset classification can be deployed to efficiently identify critical assets and prioritize alerts for the most consequential vulnerabilities. FIG. 2 illustrates a flow diagram of an example method of dynamic behavior-based asset classification, as described herein. FIG. 3 illustrates a flow diagram of an example method of dynamic behavior-based asset classification, as described herein. FIG. 4 illustrates a flow diagram of an example method of dynamic behavior-based asset classification, as described herein. FIG. 5 illustrates a flow diagram of an example method of dynamic behavior-based asset classification, as described herein. FIG. 6 is a block diagram of an illustrative computing architecture showing example hardware components for a computing device that can implement the dynamic behavior-based technology and techniques described herein. DETAILED DESCRIPTION Overview With a limited number of analysts who can each analyze a limited number of alerts, there remains a need to identify critical assets and prioritize alerts for the most consequential vulnerabilities without requiring manual assignments designating asset criticality and without simply relying on conventional-static server designations and rules. This disclosure describes dynamic behavior-based asset classification techniques, systems, and one or more computer-readable media including instructions for identifying critical assets and prioritizing alerts for the most consequential vulnerabilities to help mitigate alert fatigue for security analysts and enable them to patch vulnerabilities that will have the greatest impact. The dynamic behavior-based asset classification techniques, systems, and one or more computer-readable media can include one or more components configured to identify critical assets and prioritize which alerts are provided according to the most consequential vulnerabilities based on behaviors at and/or traffic to a particular host computer. In various examples, the system described herein can identify critical assets based on classifying host computers as highly active servers, highly connected servers, and/or as servers based on remote logins and inbound port connections without regard to server specification or server configuration designations. The system described herein can automatically assign a label to an asset corresponding to the server classification and/or behavior classification. In some examples, the system can identify assets as subtypes of servers including dynamic host configuration protocol (DHCP) servers, domain name system (DNS) servers, file transfer protocol (FTP) servers, secure shell host (SSH) servers, web servers, etc. In various examples, the techniques, system, and computer-executable instructions can generate a report of the vulnerabilities deemed most consequential and/or patched for analysts and/or clients of the system. In some examples, the system, via an interface, can receive instructions from analysts and/or clients, for example, to further refine types of vulnerabilities identified, and/or to change and/or set parameters for various thresholds and/or periods of time. The techniques described herein can improve functioning of a computing device by providing an efficient method for identifying critical assets and providing alerts prioritized according to consequences associated with particular vulnerabilities of the critical assets. Surfacing more important alerts based on behavior at and/or traffic to particular of the host computers can reduce network traffic associated with alerts that may be unactionable based on excess amounts of traffic for which humans cannot adequately respond and thereby also mitigate alert fatigue for security analysts. Surfacing more important alerts based on behavior at and/or traffic to particular of the host computers can also surface alerts related to vulnerabilities that may not otherwise be apparent, which can help focus security analysts on effective actions to address consequential vulnerabilities