Determination of related entities

Abstract

A method/system for determining a group of related entities of interest in one or more processing systems. The method comprises identifying a starting entity from one or more entities in the one or more processing systems, then obtaining, based on an entity type of the starting entity, a first set of rules for determining at least one other related entity, and then determining, using the first set of rules, the at least one related entity.

Description

BRIEF DESCRIPTION OF FIGURES

An example embodiment of the present invention should become apparent from the following description, which is given by way of example only, of a preferred but non-limiting embodiment, described in connection with the accompanying figures.

FIG. 1 illustrates a functional block diagram of an example of a processing system that can be utilised to embody or give effect to a particular embodiment;

FIG. 2 illustrates a flow diagram of an example method of determining a group of related entities of interest;

FIGS. 3A and 3B illustrate a further example of the method illustrated in FIG. 2 which is directed towards determining a group of entities which are suspicious;

FIG. 4 illustrates a flow diagram of an example method of determining malicious entities;

FIG. 5 illustrates a further example of the method illustrated in FIG. 4; and

FIGS. 6A, 6B and 6C illustrate a further example of a method of determining suspicious entities and malicious entities.

Claims

1. A method of determining a group of related entities of interest in one or more processing systems, wherein the method comprises the steps of: (a) identifying a starting entity from one or more entities in the one or more processing systems;(b) obtaining, based on an entity property of the starting entity, a first rule for determining at least one related entity; and(c) determining, using the first rule, the at least one related entity relative to the starting entity.

2. The method according to claim 1, wherein the method comprises: (d) setting the at least one related entity as the starting entity; and(e) repeating steps (b) and (c), followed by step (d) until an end condition is satisfied.

3. The method according to claim 1, wherein the step of obtaining the first rule comprises selecting the first rule from a set of first rules according to the entity property.

4. The method according to claim 4, wherein the step of identifying the starting entity in the one or more processing systems comprises one of: (i) identifying, using a second rule, the starting entity in the one or more processing systems; and(ii) a user selecting the starting entity in the one or more processing systems using an input device.

5. The method according to claim 4, wherein the first rule is configured to determine one or more suspicious related entities relative to the starting entity.

6. The method according to claim 5, wherein the method comprises: (i) determining, using a third set of rules, a level of maliciousness for at least some of the suspicious related entities; and(ii) if the level of maliciousness satisfies a criteria, identifying the at least some of the suspicious related entities as malicious.

7. The method according to claim 6, wherein the method comprises: (i) identifying common suspicious entities between a plurality of records of suspicious related entities; and(ii) determining, using a third set of rules and the common suspicious entities, one or more malicious entities.

8. The method according to claim 6, wherein the method comprises: (i) transferring, to a server processing system, data indicative of the one or more suspicious related entities; and(ii) receiving, from the server processing system, data indicative of whether at least some of the group is malicious.

9. The method according to claim 6, wherein at least one of the first rule, the second rule and the third rule comprise using at least one of: (i) statistical processes;(ii) fuzzy logic processes; and(iii) heuristical processes.

10. The method according to claim 6, wherein the at least one of the first rule, the second rule and the third rule are weighted according to a set of priorities.

11. The method according to claim 2, wherein the end condition is at least one of: (i) when no related entities are determined in a particular repetition;(ii) when no new related entities are determined in a particular repetition;(ii) when no related entities are determined in a period of time;(v) when the starting entity has an entity property which is indicative of the end condition; and(vi) when a selected number of repetitions have been performed.

12. The method according to claim 6, wherein at least one of the first rule, the second rule and the third rule are weighted according to a set of priorities.

13. The method according to claim 1, wherein the method comprises: (i) selecting, from a set of first rules and based on the entity property of the starting entity, a plurality of first rules; and(ii) determining, using the plurality of first rules, the at least one related entity relative to the starting entity.

14. A computer program for determining a group of related entities of interest in one or more processing systems, the computer program adapted to: (a) identify a starting entity from one or more entities in the one or more processing systems;(b) obtain, based on an entity property of the starting entity, a first rule for determining at least one related entity; and(c) determine, using the first rule, the at least one related entity relative to the starting entity.

15. A method of determining one or more malicious entities within one or more processing systems, wherein the method comprises the steps of: (a) receiving suspicious entity data indicative of one or more suspicious entities in the one or more processing systems;(b) determining, using a set of malicious assessment rules and the suspicious entity data, one or more malicious entities.

16. The method according to claim 15, wherein the method comprises the steps of: (i) receiving multiple records of suspicious entity data;(ii) determining common suspicious entities between the multiple records of the suspicious entity data; and(iii) determining, using the set of malicious assessment rules and the common suspicious entities, the one or more malicious entities.

17. The method according to claim 16, wherein the malicious assessment rules are weighted according to a set of priorities.

18. The method according claim 15, wherein the method comprises: (i) generating instructions for quarantining the at least some of the group; and(ii) transferring, to the one or more processing systems, the instructions.

19. The method according to claim 18, wherein the method comprises transferring to the one or more processing systems instructions which are computer executable instructions.

20. A processing system to determine one or more malicious entities within one or more processing systems, wherein the processing system is configured to: (a) receive suspicious entity data indicative of one or more suspicious entities in the one or more processing systems;(b) determine, using a set of malicious assessment rules and the suspicious entity data, one or more malicious entities.