{"def_to_off":{"head":{"vars":["query_def_tech_label","top_def_tech_label","def_tactic_label","def_tactic_rel_label","def_tech_label","def_artifact_rel_label","def_artifact_label","off_artifact_label","off_artifact_rel_label","off_tech_label","off_tech_id","off_tech_parent_label","off_tech_parent_is_toplevel","off_tactic_rel_label","off_tactic_label","def_tactic","def_tactic_rel","def_tech","def_artifact_rel","def_artifact","off_artifact","off_artifact_rel","off_tech","off_tech_parent","off_tactic_rel","off_tactic"]},"results":{"bindings":[]}},"description":{"@context":{"rdfs":"http://www.w3.org/2000/01/rdf-schema#","owl":"http://www.w3.org/2002/07/owl#","d3f":"http://d3fend.mitre.org/ontologies/d3fend.owl#","skos":"http://www.w3.org/2004/02/skos/core#"},"@graph":[{"@id":"d3f:UserDataTransferAnalysis","@type":["d3f:UserDataTransferAnalysis","owl:NamedIndividual","owl:Class"],"d3f:analyzes":{"@id":"d3f:ResourceAccess"},"d3f:d3fend-id":"D3-UDTA","d3f:definition":"Analyzing the amount of data transferred by a user.","d3f:kb-article":"## How it works\nUnusual data transfer activity may indicate unauthorized activity. Data transfers can be analyzed by collecting network traffic or application logs.\n\n## Considerations\n* There is a potential for false positives from anomalies that are not associated with unauthorized activity.\n* Attackers that move low and slow may not differentiate their data transfer behavior enough for an alert to trigger.","d3f:kb-reference":[{"@id":"d3f:Reference-SystemAndMethodThereofForIdentifyingAndRespondingToSecurityIncidentsBasedOnPreemptiveForensics_PaloAltoNetworksInc"},{"@id":"d3f:Reference-SystemForImplementingThreatDetectionUsingThreatAndRiskAssessmentOfAsset-actorInteractions_VECTRANETWORKSInc"}],"rdfs:label":"User Data Transfer Analysis","rdfs:subClassOf":{"@id":"d3f:UserBehaviorAnalysis"}}]},"digital_artifacts":{"head":{"vars":["query_def_tech_label","top_def_tech_label","def_tech_label","def_artifact_rel_label","def_artifact_label","def_tactic","def_tactic_rel","def_tech","def_artifact_rel","def_artifact"]},"results":{"bindings":[{"query_def_tech_label":{"type":"literal","value":"User Data Transfer Analysis"},"top_def_tech_label":{"type":"literal","value":"User Behavior Analysis"},"def_tech_label":{"type":"literal","value":"User Data Transfer Analysis"},"def_artifact_rel_label":{"type":"literal","value":"analyzes"},"def_artifact_label":{"type":"literal","value":"Resource Access"},"def_tactic":{"type":"uri","value":"http://d3fend.mitre.org/ontologies/d3fend.owl#Detect"},"def_tactic_rel":{"type":"uri","value":"http://d3fend.mitre.org/ontologies/d3fend.owl#enables"},"def_tech":{"type":"uri","value":"http://d3fend.mitre.org/ontologies/d3fend.owl#UserDataTransferAnalysis"},"def_artifact_rel":{"type":"uri","value":"http://d3fend.mitre.org/ontologies/d3fend.owl#analyzes"},"def_artifact":{"type":"uri","value":"http://d3fend.mitre.org/ontologies/d3fend.owl#ResourceAccess"}}]}},"subtechniques":{"@context":{"rdfs":"http://www.w3.org/2000/01/rdf-schema#","owl":"http://www.w3.org/2002/07/owl#","d3f":"http://d3fend.mitre.org/ontologies/d3fend.owl#","skos":"http://www.w3.org/2004/02/skos/core#"},"@graph":[]},"weaknesses":{"head":{"vars":["query_def_tech_label","top_def_tech_label","def_tactic_label","def_tactic_rel_label","def_tech_label","def_artifact_rel_label","def_artifact_label","weak_artifact_label","weak_artifact_rel_label","weak_label","def_tactic","def_tactic_rel","def_tech","def_artifact_rel","def_artifact","weak_artifact","weak_artifact_rel","weak","weak_id"]},"results":{"bindings":[]}},"related_offensive_matrix":{},"references":{"@context":{"rdfs":"http://www.w3.org/2000/01/rdf-schema#","d3f":"http://d3fend.mitre.org/ontologies/d3fend.owl#"},"@graph":[{"@id":"d3f:Reference-SystemAndMethodThereofForIdentifyingAndRespondingToSecurityIncidentsBasedOnPreemptiveForensics_PaloAltoNetworksInc","@type":["d3f:PatentReference","http://www.w3.org/2002/07/owl#NamedIndividual"],"d3f:has-link":{"@type":"http://www.w3.org/2001/XMLSchema#anyURI","@value":"https://patents.google.com/patent/US20160142424A1"},"d3f:kb-abstract":"A system is connected to a plurality of user devices coupled to an enterprise's network. The system continuously collects, stores, and analyzes forensic data related to the enterprise's network. Based on the analysis, the system is able to determine normal behavior of the network and portions thereof and thereby identify abnormal behaviors within the network. Upon identification of an abnormal behavior, the system determines whether the abnormal behavior relates to a security incident. Upon determining a security incident in any portion of the enterprise's network, the system extracts forensic data respective of the security incident and enables further assessment of the security incident as well as identification of the source of the security incident. The system provides real-time damage assessment respective of the security incident as well as the security incident's attributions.","d3f:kb-author":"Gil BARAK; Shai MORAG","d3f:kb-mitre-analysis":"This patent describes detecting abnormal behavior related to a security incident by collecting and analyzing forensic data in real time. Forensic data may include:\n\n* URLs visited\n* data downloaded or streamed\n* messages received and sent\n* amount of memory used for processing\n\nThe data is then analyzed according to a set of dynamically created rules to determine normal behavior patterns associated with the network or user devices. Anomalies between current behavior and normal behavior patterns trigger an alert.","d3f:kb-organization":"Palo Alto Networks Inc","d3f:kb-reference-of":[{"@id":"d3f:ResourceAccessPatternAnalysis"},{"@id":"d3f:UserDataTransferAnalysis"},{"@id":"d3f:WebSessionActivityAnalysis"}],"d3f:kb-reference-title":"System and method thereof for identifying and responding to security incidents based on preemptive forensics","d3f:reference-type-label":"Patent","rdfs:label":"Reference - System and method thereof for identifying and responding to security incidents based on preemptive forensics - Palo Alto Networks Inc"},{"@id":"d3f:Reference-SystemForImplementingThreatDetectionUsingThreatAndRiskAssessmentOfAsset-actorInteractions_VECTRANETWORKSInc","@type":["d3f:PatentReference","http://www.w3.org/2002/07/owl#NamedIndividual"],"d3f:has-link":{"@type":"http://www.w3.org/2001/XMLSchema#anyURI","@value":"https://patents.google.com/patent/US20160191559A1"},"d3f:kb-abstract":"Disclosed is an approach to detect insider threats, by tracking unusual access activity for a specific user or computer with regard to accessing key assets over time. In this way, malicious activity and the different preparation phases of attacks can be identified.","d3f:kb-author":"Himanshu Mhatre; David Lopes Pegna; Oliver Brdiczka","d3f:kb-mitre-analysis":"The patent describes an insider threat detection system that analyzes packets sent within a network to identify and isolate malicious behavior. Current network traffic is collected and developed into a baseline that establishes the amount of data sent and received between a specific asset and a host. Current data transfer values are then compared with the baseline to identify anomalies.","d3f:kb-organization":"VECTRA NETWORKS Inc","d3f:kb-reference-of":{"@id":"d3f:UserDataTransferAnalysis"},"d3f:kb-reference-title":"System for implementing threat detection using threat and risk assessment of asset-actor interactions","d3f:reference-type-label":"Patent","rdfs:label":"Reference - System for implementing threat detection using threat and risk assessment of asset-actor interactions - VECTRA NETWORKS Inc"}]},"references_meta":{"Patent":2}}