Search

US-20260129059-A1 - METHOD OF THREAT DETECTION IN A THREAT DETECTION NETWORK AND THREAT DETECTION NETWORK

US20260129059A1US 20260129059 A1US20260129059 A1US 20260129059A1US-20260129059-A1

Abstract

A network node of a threat detection network, a backend server of a threat detection network, a threat detection network and a threat detection method in a threat detection network. The threat detection network comprises interconnected network nodes and a backend system, wherein at least part of the nodes comprise security agent modules which collect data related to the respective network node. The method comprises collecting and/or analyzing at the network node data related to a network node, generating at least one local behavior model at the network node related to the network node on the basis of the collected and/or analyzed data, sharing at least one generated local behavior model related to the network node with one or more other nodes and/or with the backend system, comparing user activity in a node to the generated local behavior model and/or a received behavior model, and alerting the backend and/or the other nodes, e.g. about anomalous behavior, if deviation from the generated local behavior model and/or the received behavior model is detected, and/or comparing at the backend system the anomalous data with other behavior models, e.g. with other behavior models in the same organization and/or behavior models of known malicious users, and sending from the backend system to the node results and/or data relating to the comparison.

Inventors

  • Mika STÅHLBERG
  • Matti AKSELA

Assignees

  • F-SECURE CORPORATION

Dates

Publication Date
20260507
Application Date
20251110
Priority Date
20201214

Claims (19)

  1. 1 - 15 . (canceled)
  2. 16 . A method of threat detection in a threat detection network, the threat detection network comprising interconnected network nodes and a backend system, wherein at least part of the nodes comprise security agent modules which collect data related to the respective network node, the method comprising: collecting and/or analyzing at the network node data related to a network node, generating or receiving at least one local user behavior model at the network node related to the network node on the basis of the collected and/or analyzed data, wherein the at least one local user behavior model is stored as a single event comprising model parameters that characterize normal behavior of a particular user of the network node; sharing at least one generated local user behavior model related to the network node with one or more other nodes and with the backend system, comparing user activity in a node to the at least one generated local user behavior model, and alerting the backend system and/or the other nodes about anomalous behavior, if deviation from the at least one generated local user behavior model is detected, and/or comparing at the backend system the received anomalous data with other behavior models in the same organization and/or behavior models of known malicious users, and sending from the backend system to the node results and/or data relating to the comparison, wherein at least one local user behavior model related to the network node is generated by the network node and at least one common behavior model is generated by the backend system of the computer network and/or by the network node based at least in part on the at least one received local user behavior model.
  3. 17 . The method of claim 16 , wherein the backend system is a cloud-based endpoint detection and response (EDR) backend that is remote from the network nodes.
  4. 18 . The method of claim 16 , wherein alerting the backend system and/or other nodes is based on filtering an input event to determine a measure indicating a likelihood that the input event is consistent with the at least one local behavior model, and/or determining that the deviation from the at least one local user behavior model meets or exceeds a predetermined or adaptive threshold.
  5. 19 . The method according to claim 16 , wherein once deviation from the at least one generated local user behavior model is detected, the agent module and/or the node performs at least one of the following actions: increasing level of data collection, sending the data to the backend system and/or other nodes that didn't match the at least one generated local user behavior model, heightening a risk level of the user, heightening a risk level of the node and/or alerting an operator.
  6. 20 . The method according to claim 16 , wherein the agent module builds the at least one behavior model by collecting and analyzing data relating to user activity utilizing a machine learning model, such as a statistical model, a probabilistic model and/or deep learning model.
  7. 21 . The method according to claim 16 , wherein the generated or received at least one behavior model is used in monitoring the activity of a user in order to notice changes in behavior which are due to automation, attacks and/or or another user using a same account.
  8. 22 . The method according to claim 16 , wherein a same behavior model essentially covers users with corresponding activity, corresponding behavior and/or corresponding role in the organization.
  9. 23 . The method according to claim 16 , wherein the agent modules collect at least one of the following computer usage data for creating the at least one behavior model and/or when comparing user activity programs executed and frequency thereof, login location, login time, login place, network usage patterns, keyboard layout, keyboard language, typing frequency and/or speed, mouse and touch screen movement patterns, typing errors, syntax and style of command-line commands and arguments, use of clipboard, peripheral devices, such as headphones, camera, screens, printers, USB storage, and/or activity of the peripheral devices, screen lock status, use of keyboard shortcuts.
  10. 24 . The method according to claim 16 , wherein the backend system identifies shared accounts used at the nodes and/or in the network and links multiple behavior models to an identified shared account.
  11. 25 . The method according to claim 16 , wherein the threat detection control-network is a threat control swarm intelligence network, and/or the threat control swarm intelligence network comprises a plurality of interconnected network nodes of a local computer network, and the at least one behavior model is shared with the backend system and/or nodes of the swarm intelligence network.
  12. 26 . A computer program product comprising at least one non-transitory computer-readable medium having instructions stored thereon which, when executed by a processor of a computer, cause the computer to carry out the method according to claim 16 .
  13. 27 . A non-transitory computer-readable medium having instructions stored thereon which, when executed by a processor, cause a computer to: perform the method according to claim 16 .
  14. 28 . A network node of a threat detection network, the network comprising interconnected network nodes and a backend system, wherein the network node comprises at least one or more processors and at least one security agent module which is configured to collect data related to the respective network node, and the network node is configured to collect and/or analyze data related to the network node, the network node is further configured to generate at least one local user behavior model related to the network node on the basis of the collected and/or analyzed data, wherein the at least one local user behavior model is stored as a single event comprising model parameters that characterize normal behavior of a particular user of the network node the network node is further configured to share at least one generated local user behavior model related to the network node with one or more other nodes and with the backend system, the network node is further configured to compare user activity in a node to the at least one generated local user behavior model, and to alert the backend system and the other nodes about anomalous behavior, if deviation from the at least one generated local user behavior model is detected, and/or the network node is configured to receive from the backend system results and/or data relating to a comparison carried out by the backend system, the comparison comprising comparing the anomalous data received by the with other behavior models with other behavior models in the same organization and/or behavior models of known malicious users, wherein at least one local user behavior model related to the network node is generated by the network node and at least one common behavior model is generated by the backend system of the computer network and/or by the network node based at least in part on the at least one received local user behavior model.
  15. 29 . The network node of claim 28 , wherein the backend system is a cloud-based endpoint detection and response (EDR) backend that is remote from the network nodes.
  16. 30 . The network node of claim 28 , wherein alerting the backend system and/or other nodes is based on filtering an input event to determine a measure indicating a likelihood that the input event is consistent with the at least one local behavior model, and/or determining that the deviation from the at least one local user behavior model meets or exceeds a predetermined or adaptive threshold.
  17. 31 . A threat detection network comprising a plurality of interconnected network nodes and a backend system, wherein: each network node comprises at least one or more processors and at least one security agent module which is configured to collect data related to the respective network node, and the network node is configured to collect and/or analyze data related to the network node, each network node is further configured to generate at least one local user behavior model related to the network node on the basis of the collected and/or analyzed data, wherein the at least one local user behavior model is stored as a single event comprising model parameters that characterize normal behavior of a particular user of the network node, each network node is further configured to share the at least one generated local user behavior model related to the network node with one or more other nodes and with the backend system, each network node is further configured to compare user activity in a node to the at least one generated local user behavior model, and to alert the backend system and the other nodes about anomalous behavior, if deviation from the at least one generated local user behavior model is detected, and each network node is configured to receive from the backend system results and/or data relating to a comparison carried out by the backend system, the comparison comprising comparing the anomalous data received by the with other behavior models with other behavior models in the same organization and/or behavior models of known malicious users, the backend server comprises at least one or more processors and is configured to receive the at least one local user behavior model from a network node generated by the network node on the basis of collected and analyzed data at the network node, the backend server is further configured to receive and alert from a network node about detected anomalous behavior, if deviation from the at least one generated local user behavior model is detected at the network node, and the backend server is further configured to compare at the backend system the anomalous data with other behavior models with at least one common behavior model created by the backend server based on at least one received local user behavior model, with other behavior models in the same organization and/or with behavior models of known malicious users, and to send from the backend system to the network node results and/or data relating to the comparison. wherein at least one local user behavior model related to the network node is generated by the network node and at least one common behavior model is generated by the backend system of the computer network and/or by the network node based at least in part on the at least one received local user behavior model.
  18. 32 . The threat detection network of claim 31 , wherein the backend system is a cloud-based endpoint detection and response (EDR) backend that is remote from the network nodes.
  19. 33 . The threat detection network of claim 31 , wherein alerting the backend system and/or other nodes is based on filtering an input event to determine a measure indicating a likelihood that the input event is consistent with the at least one local behavior model, and/or determining that the deviation from the at least one local user behavior model meets or exceeds a predetermined or adaptive threshold.

Description

TECHNICAL FIELD The present invention relates to a threat detection method in a threat detection network, a network node of a threat detection network, a backend server of a threat detection network and a threat detection network. BACKGROUND Security systems for computers and computer networks are used to detect threats and anomalies in computers and networks. Examples of such are Endpoint Detection & Response (EDR) and Managed Detection and Response (MDR) products and services. EDR focuses on the detection and monitoring of a breach as it occurs and helps to determine how best to respond the detected breach. The growth of efficient and robust EDR solutions has been made possible in part by the emergence of machine learning, big data and cloud computing. MDR in turn is a managed cybersecurity service providing service for threat detection, response and remediation. EDR or other corresponding systems deploy data collectors on selected network endpoints (which can be any element of IT infrastructure). The data collectors observe activities happening at the endpoint and then send the collected data to a central, backend system (“EDR backend”), often located in the cloud. When the EDR backend receives the data, the data is processed (e.g. aggregated and enriched) before being analyzed and scanned by the EDR provider for signs of security breaches and anomalies. A problem with EDR however is that the volume of data produced by the data collectors can be extremely large. Data volume is normally proportional to the activity occurring at a given EDR endpoint so when activity at that EDR endpoint is great, the produced data volume is also great. The immediate consequences of such large volumes of data include decreased quality of service, increased cost of service and increased consumption of resources associated with managing large volumes of data. For example, when high volumes of data need to be processed and made available in a useable format, the associated resource overheads and monetary costs can in some cases be very large for the EDR provider, which in turn can increase the cost of providing EDR to customer organizations. Many organizations thus simply opt not to implement EDR and continue to rely solely on EPP (End Point Protection) solutions, which presents a security risk as basic EPP services do not provide adequate protection against advanced file-less threats. Some EDR systems have proposed reducing the data overhead by being selective about what data is collected (i.e. a policy of selective data collection limitation). However, this solution is problematic because effective monitoring, detection and forensic analysis often requires as complete a data picture as possible. It is often not possible to know in advance what data will be required to monitor and track a malicious actor. Realizing that key pieces of information were not collected can often put a stop to any investigation, rendering such EDR systems ineffective. Technologies have been developed over the years for cyber defense which are based on building a reputation for objects such as processes, files, network addresses, and such or analyzing behavior of individual software entities. Advanced targeted attacks, attacks where a well-resourced attacker is not attacking random targets but persistently targets a specific organization or even individual user, have been designed to bypass such defenses. In a typical attack, a hacker on a keyboard somehow steals or guesses the access credentials of a legit user and then uses those credentials to move within the virtual estate of the organization. In these attacks the attacker doesn't “hack in” they “log in”. User and Entity and Behavior Analysis is a term for detecting anomalous behavior of legit entities (such as servers or mobile devices) or users. In one scenario it can be used to detect if a user who typically logs in in the morning from the USA suddenly logs in in the middle of the night from China, or to detect that a typical office worker is suddenly compiling programs or logging into servers from command-line. The problem the typical UEBA approaches don't cover is a situation where the behavior of a logged in user is not (yet) obviously anomalous or malicious. The attacker can do all kinds of things the user is supposed to do without fear of detection, and it is very likely that attackers might try to mask their behavior even more by even mimicking normal behavior using various forms of automation. Thus, there is a need to recognize also these kind of situations more reliably and with low false positive rate. There is also a need to reduce costs associated with managing large volumes of data and a need to improve the way in which data is collected and processed in the context of EDR systems while at the same time avoiding significant risks to threat detection capabilities. SUMMARY The following presents a simplified summary in order to provide basic understanding of some aspects of various