Bank of America Corporation
Lateral movement visualization for intrusion detection and remediation

Abstract:

Aspects of the disclosure relate to visualization of lateral movements of an intruder on a network by connecting to computers and/or resources under investigation. A first computer is identified for investigation. Logs regarding incoming and outgoing connections to the computer are extracted and can be prefiltered based on specific IDs or other criteria. Maps of incoming and outgoing connections are stored in memory along with event information. Each subsequent computer to which the computer connected or resource accessed is identified. The map is updated based on logs from that computer or resource. A graphical image showing each applicable host, its connections, the chronology, and/or contextual information is generated and displayed. Individual hosts and other displayed data can be user-selectable to drill down and/or provide additional information. The process can repeat until all hosts, from patient zero to all endpoints, have been identified and rendered.