Automated detection of session-based access anomalies in a computer network through processing of session data

US 10,003,607 B1
Filed: 03/24/2016
Issued: 06/19/2018
Est. Priority Date: 03/24/2016
Status: Active Grant

First Claim

Patent Images

1. A method for automated detection of access anomalies, the method comprising steps of:

obtaining data characterizing a plurality of network sessions for each of a plurality of user identifiers wherein the network sessions are initiated from a plurality of user devices over at least one network;

processing the data characterizing the network sessions for a given one of the plurality of user identifiers to generate a network session profile for the given user identifier, the network session profile comprising a plurality of histograms for respective ones of a plurality of features extracted at least in part from the data characterizing the plurality of network sessions for the given user identifier;

obtaining data characterizing a current network session for the given user identifier;

generating a risk score for the current network session based on one or more features extracted from the data characterizing the current network session for the given user identifier and the network session profile for the given user identifier;

comparing the risk score to a threshold; and

generating an alert relating to the current session based on a result of comparing the risk score to the threshold;

wherein the alert is transmitted over said at least one network to a security agent;

wherein the risk score is generated as a function of one or more feature risk scores for one or more extracted features, and the feature risk score for a given extracted feature is determined by;

obtaining a value of the feature for the current session;

identifying a particular one of a plurality of bins of the histogram for the given extracted feature into which the feature value falls;

computing a bin probability density function for that particular bin; and

generating the feature risk score as a function of the bin probability density function; and

wherein the steps are performed by at least one processing device comprising a processor coupled to a memory.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processing device in one embodiment comprises a processor coupled to a memory and is configured to obtain data characterizing a plurality of network sessions for each of a plurality of user identifiers. The network sessions are initiated from a plurality of user devices over at least one network and may comprise respective virtual private network (VPN) sessions. The processing device is further configured to process the data characterizing the network sessions for a given one of the plurality of user identifiers to generate a network session profile for the given user identifier, the network session profile comprising a plurality of histograms for respective ones of a plurality of features extracted from the data characterizing the plurality of network sessions for the given user identifier. A risk score is generated for a current network session utilizing features extracted from the data characterizing that session and the network session profile.

Citations

21 Claims

1. A method for automated detection of access anomalies, the method comprising steps of:
- obtaining data characterizing a plurality of network sessions for each of a plurality of user identifiers wherein the network sessions are initiated from a plurality of user devices over at least one network;
  
  processing the data characterizing the network sessions for a given one of the plurality of user identifiers to generate a network session profile for the given user identifier, the network session profile comprising a plurality of histograms for respective ones of a plurality of features extracted at least in part from the data characterizing the plurality of network sessions for the given user identifier;
  
  obtaining data characterizing a current network session for the given user identifier;
  
  generating a risk score for the current network session based on one or more features extracted from the data characterizing the current network session for the given user identifier and the network session profile for the given user identifier;
  
  comparing the risk score to a threshold; and
  
  generating an alert relating to the current session based on a result of comparing the risk score to the threshold;
  
  wherein the alert is transmitted over said at least one network to a security agent;
  
  wherein the risk score is generated as a function of one or more feature risk scores for one or more extracted features, and the feature risk score for a given extracted feature is determined by;
  
  obtaining a value of the feature for the current session;
  
  identifying a particular one of a plurality of bins of the histogram for the given extracted feature into which the feature value falls;
  
  computing a bin probability density function for that particular bin; and
  
  generating the feature risk score as a function of the bin probability density function; and
  
  wherein the steps are performed by at least one processing device comprising a processor coupled to a memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 wherein the network sessions comprise respective virtual private network (VPN) sessions.
  - 3. The method of claim 1 wherein the extracted features include one or more extracted features for each of device hostname, device location, session behavior and number of failed sessions.
  - 4. The method of claim 3 wherein the one or more extracted features for device hostname comprises a normalized device hostname obtained by applying one or more normalization operations to the device hostname.
  - 5. The method of claim 3 wherein the one or more extracted features for device location comprise a country, an autonomous system identifier and a ground speed score.
  - 6. The method of claim 3 wherein the one or more extracted features for session behavior comprise a session start time, a session duration, a session day type indicating if the session day is a weekday or a weekend, a number of bytes sent during the session and a number of bytes received during the session.
  - 7. The method of claim 3 wherein the one or more extracted features for number of failed sessions comprises a number of failed sessions determined as a function of:
    - (i) number of failed sessions for the given user identifier over a prior time period of predetermined length; and
      
      (ii) number of failed sessions for the given user identifier since a last successful session for the given user identifier.
  - 8. The method of claim 1 wherein at least one of the extracted features is extracted from the data characterizing the plurality of network sessions for the given user identifier and the data characterizing the current network session for the given user identifier.
  - 9. The method of claim 1 wherein the histogram for a given one of the extracted features comprises a plurality of bins where i is a bin index and wherein bin i has at least the following parameters:
    - (i) a bin width given by w[i];
      
      (ii) a bin probability given by Prob[i]=n[i]/N where n[i] denotes the number of network sessions having values for the given extracted feature that fall into bin i and N denotes the total number of network sessions in the plurality of network sessions for the given user identifier; and
      
      (iii) a bin probability density function given by Pdf[i]=Prob[i]/w[i];
      
      wherein a feature risk score for a given extracted feature is determined by;
      
      obtaining a value of the feature for the current session;
      
      identifying the particular one of the bins into which the feature value falls;
      
      computing the bin probability density function for that particular bin;
      
      computing significance of the bin probability density function; and
      
      outputting the significance as the feature risk score.
  - 10. The method of claim 1 wherein generating a risk score for the current network session based on the network session profile for the given user identifier comprises:
    - generating feature risk scores for respective ones of the extracted features;
      
      applying weights to the feature risk scores; and
      
      combining the weighted feature risk scores into a composite risk score.
  - 11. The method of claim 10 wherein combining the weighted feature risk scores into a composite risk score comprises computing the composite risk score in accordance with the following equation:
  - 12. The method of claim 1 wherein each of at least a subset of the extracted features has at least first and second histograms associated therewith, the first histogram comprising a user histogram for the corresponding extracted feature and the second histogram comprising a group histogram for that extracted feature, wherein the user histogram is generated from data characterizing the plurality of network sessions for the given user identifier and the group histogram is generated from data characterizing a plurality of network sessions for the given user identifier and data characterizing a plurality of network sessions for each of multiple other user identifiers.
  - 13. The method of claim 12 wherein generating a risk score for the current network session based on the network session profile for the given user identifier comprises:
    - generating a user risk score for a given one of the extracted features utilizing the corresponding user histogram;
      
      generating a group risk score for the given one of the extracted features utilizing the corresponding group histogram; and
      
      combining the user risk score and the group risk score to generate a feature risk score for the given extracted feature.
  - 14. The method of claim 13 wherein combining the user risk score and the group risk score to generate a feature risk score for the given extracted feature comprises computing the feature risk score in accordance with the following equation:
    - S[f]=(1−
      
      ∝
      
      _G)·
      
      S_U[f]+∝
      
      _G·
      
      S_G[f], where S[f] is the feature risk score, S_U[f] is the user risk score, S_G[f] is the group risk score, ∝
      
      _Gis a group weight function given by ∝
      
      _G=e^−
      
      β
      
      N(1−
      
      ∝
      
      ₀)+∝
      
      ₀, ∝
      
      ₀is an initial group weight parameter and N denotes the total number of network sessions in the plurality of network sessions for the given user identifier, and where ∝
      
      _G=1 for N=0, ∝
      
      _G=∝
      
      ₀for N→
      
      ∞ and
      
      ∝
      
      _G(N) is a monotonically decreasing function with respect to N.
  - 15. The method of claim 1 wherein generating an alert relating to the current session based on a result of comparing the risk score to the threshold comprises:
    - generating an alert of a first type based on a result of comparing a network session risk score to a first threshold; and
      
      generating an alert of a second type different than the first type based on a result of comparing a ground speed score to a second threshold.

16. A non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing device causes said at least one processing device:
- to obtain data characterizing a plurality of network sessions for each of a plurality of user identifiers wherein the network sessions are initiated from a plurality of user devices over at least one network;
  
  to process the data characterizing the network sessions for a given one of the plurality of user identifiers to generate a network session profile for the given user identifier, the network session profile comprising a plurality of histograms for respective ones of a plurality of features extracted from the data characterizing the plurality of network sessions for the given user identifier;
  
  to obtain data characterizing a current network session for the given user identifier;
  
  to generate a risk score for the current network session based on one or more features extracted from the data characterizing the current network session for the given user identifier and the network session profile for the given user identifier;
  
  to compare the risk score to a threshold; and
  
  to generate an alert relating to the current session based on a result of comparing the risk score to the threshold;
  
  wherein the alert is transmitted over said at least one network to a security agent; and
  
  wherein the risk score is generated as a function of one or more feature risk scores for one or more extracted features, and the feature risk score for a given extracted feature is determined by;
  
  obtaining a value of the feature for the current session;
  
  identifying a particular one of a plurality of bins of the histogram for the given extracted feature into which the feature value falls;
  
  computing a bin probability density function for that particular bin; and
  
  generating the feature risk score as a function of the bin probability density function.
- View Dependent Claims (17, 18)
- - 17. The processor-readable storage medium of claim 16 wherein each of at least a subset of the extracted features has at least first and second histograms associated therewith, the first histogram comprising a user histogram for the corresponding extracted feature and the second histogram comprising a group histogram for that extracted feature, wherein the user histogram is generated from data characterizing the plurality of network sessions for the given user identifier and the group histogram is generated from data characterizing a plurality of network sessions for the given user identifier and data characterizing a plurality of network sessions for each of multiple other user identifiers.
  - 18. The processor-readable storage medium of claim 17 wherein the program code when executed by at least one processing device causes said at least one processing device to generate a risk score for the current network session based on the network session profile for the given user identifier by causing said at least one processing device:
    - to generate a user risk score for a given one of the extracted features utilizing the corresponding user histogram;
      
      to generate a group risk score for the given one of the extracted features utilizing the corresponding group histogram; and
      
      to combine the user risk score and the group risk score to generate a feature risk score for the given extracted feature.

19. An apparatus comprising:
- at least one processing device comprising a processor coupled to a memory;
  
  said at least one processing device being configured;
  
  to obtain data characterizing a plurality of network sessions for each of a plurality of user identifiers wherein the network sessions are initiated from a plurality of user devices over at least one network;
  
  to process the data characterizing the network sessions for a given one of the plurality of user identifiers to generate a network session profile for the given user identifier, the network session profile comprising a plurality of histograms for respective ones of a plurality of features extracted from the data characterizing the plurality of network sessions for the given user identifier;
  
  to obtain data characterizing a current network session for the given user identifier;
  
  to generate a risk score for the current network session based on one or more features extracted from the data characterizing the current network session for the given user identifier and the network session profile for the given user identifier;
  
  to compare the risk score to a threshold; and
  
  to generate an alert relating to the current session based on a result of comparing the risk score to the threshold;
  
  wherein the alert is transmitted over said at least one network to a security agent; and
  
  wherein the risk score is generated as a function of one or more feature risk scores for one or more extracted features, and the feature risk score for a given extracted feature is determined by;
  
  obtaining a value of the feature for the current session;
  
  identifying a particular one of a plurality of bins of the histogram for the given extracted feature into which the feature value falls;
  
  computing a bin probability density function for that particular bin; and
  
  generating the feature risk score as a function of the bin probability density function.
- View Dependent Claims (20, 21)
- - 20. The apparatus of claim 19 wherein each of at least a subset of the extracted features has at least first and second histograms associated therewith, the first histogram comprising a user histogram for the corresponding extracted feature and the second histogram comprising a group histogram for that extracted feature, wherein the user histogram is generated from data characterizing the plurality of network sessions for the given user identifier and the group histogram is generated from data characterizing a plurality of network sessions for the given user identifier and data characterizing a plurality of network sessions for each of multiple other user identifiers.
  - 21. The apparatus of claim 19 wherein said at least one processing device is further configured to execute one or more automated remedial actions responsive to the alert and wherein the one or more automated remedial actions comprise at least one of:
    - terminating the current access; and
      
      suspending the current access until one or more specified authentication factors are obtained and verified for the given user identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Kolman, Eyal, Raviv, Kineret
Primary Examiner(s)
Shiferaw, Eleni A
Assistant Examiner(s)
Song, Hee K

Application Number

US15/079,219
Time in Patent Office

817 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/552   involving long-term monitor...

H04L 63/0272   Virtual private networks

H04L 63/083   using passwords cryptograph...

H04L 63/1408   by monitoring network traff...

Automated detection of session-based access anomalies in a computer network through processing of session data

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Automated detection of session-based access anomalies in a computer network through processing of session data

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links