Browse Prior Art Database

Event Correlation Technique for Combating Advanced Persistent Threats (APTs)

IP.com Disclosure Number: IPCOM000244914D
Publication Date: 2016-Jan-29
Document File: 4 page(s) / 364K

Publishing Venue

The IP.com Prior Art Database

Related People

Anand Sankruthi: INVENTOR

Abstract

This publication describes a method to determine a set of event trails, starting from the event that was responsible for a state change in a protected asset and going backwards towards the event that was created from an external entity. The set of event trails thus formed will be processed to find their criticality rank, calculated using the event type of events forming the event trail and the risk profile of the event generator. Finally, an administrator may receive an alert of that single event or event trail based on its criticality rank

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 46% of the total text.

Page 01 of 4

  Event Correlation Technique for Combating Advanced Persistent Threats (APTs)

Anand Sankruthi

Symantec Corporation

Abstract

This publication describes a method to determine a set of event trails, starting from the event that was responsible for a state change in a protected asset and going backwards towards the event that was created from an external entity. The set of event trails thus formed will be processed to find their criticality rank, calculated using the event type of events forming the event trail and the risk profile of the event generator. Finally, an administrator may receive an alert of that single event or event trail based on its criticality rank

Copyright © 2016 Symantec Corporation. All rights reserved.

1


Page 02 of 4

Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. For a full list of Symantec trademarks, please visit http://www.symantec.com/about/profile/policies/trademarks/currentlist.jsp

Any Symantec products described in this document are distributed under licenses restricting their use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Symantec Corporation 350 Ellis Street Mountain View, CA 94043 United States

http://www.symantec.com

2

Copyright © 2016 Symantec Corporation. All rights reserved.


Page 03 of 4

Event Correlation Technique for Combating Advanced Persistent Threats (APTs)

Problem Statement

An Advanced Persistent Threat (APT) is a category of threats that are much more advanced and invasive, designed to thwart security solutions and penetrate through the network towards. Detection of APTs cannot be done by traditional security software, installed in each endpoint, alone since more data about all elements in the network is required to discover patterns in activities and detect if there is an anomaly. What is needed is a solution that captures events from all subsystems and derives some intelligence from them to see which of those events could have contributed to the ongoing APT.

Solution Description

This publication describes an event correlation technique that correlates events in t...