Automated detection of session-based access anomalies in a computer network through processing of session data
First Claim
1. A method for automated detection of access anomalies, the method comprising steps of:
- obtaining data characterizing a plurality of network sessions for each of a plurality of user identifiers wherein the network sessions are initiated from a plurality of user devices over at least one network;
processing the data characterizing the network sessions for a given one of the plurality of user identifiers to generate a network session profile for the given user identifier, the network session profile comprising a plurality of histograms for respective ones of a plurality of features extracted at least in part from the data characterizing the plurality of network sessions for the given user identifier;
obtaining data characterizing a current network session for the given user identifier;
generating a risk score for the current network session based on one or more features extracted from the data characterizing the current network session for the given user identifier and the network session profile for the given user identifier;
comparing the risk score to a threshold; and
generating an alert relating to the current session based on a result of comparing the risk score to the threshold;
wherein the alert is transmitted over said at least one network to a security agent;
wherein the risk score is generated as a function of one or more feature risk scores for one or more extracted features, and the feature risk score for a given extracted feature is determined by;
obtaining a value of the feature for the current session;
identifying a particular one of a plurality of bins of the histogram for the given extracted feature into which the feature value falls;
computing a bin probability density function for that particular bin; and
generating the feature risk score as a function of the bin probability density function; and
wherein the steps are performed by at least one processing device comprising a processor coupled to a memory.
9 Assignments
0 Petitions
Accused Products
Abstract
A processing device in one embodiment comprises a processor coupled to a memory and is configured to obtain data characterizing a plurality of network sessions for each of a plurality of user identifiers. The network sessions are initiated from a plurality of user devices over at least one network and may comprise respective virtual private network (VPN) sessions. The processing device is further configured to process the data characterizing the network sessions for a given one of the plurality of user identifiers to generate a network session profile for the given user identifier, the network session profile comprising a plurality of histograms for respective ones of a plurality of features extracted from the data characterizing the plurality of network sessions for the given user identifier. A risk score is generated for a current network session utilizing features extracted from the data characterizing that session and the network session profile.
-
Citations
21 Claims
-
1. A method for automated detection of access anomalies, the method comprising steps of:
-
obtaining data characterizing a plurality of network sessions for each of a plurality of user identifiers wherein the network sessions are initiated from a plurality of user devices over at least one network; processing the data characterizing the network sessions for a given one of the plurality of user identifiers to generate a network session profile for the given user identifier, the network session profile comprising a plurality of histograms for respective ones of a plurality of features extracted at least in part from the data characterizing the plurality of network sessions for the given user identifier; obtaining data characterizing a current network session for the given user identifier; generating a risk score for the current network session based on one or more features extracted from the data characterizing the current network session for the given user identifier and the network session profile for the given user identifier; comparing the risk score to a threshold; and generating an alert relating to the current session based on a result of comparing the risk score to the threshold; wherein the alert is transmitted over said at least one network to a security agent; wherein the risk score is generated as a function of one or more feature risk scores for one or more extracted features, and the feature risk score for a given extracted feature is determined by; obtaining a value of the feature for the current session; identifying a particular one of a plurality of bins of the histogram for the given extracted feature into which the feature value falls; computing a bin probability density function for that particular bin; and generating the feature risk score as a function of the bin probability density function; and wherein the steps are performed by at least one processing device comprising a processor coupled to a memory. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing device causes said at least one processing device:
-
to obtain data characterizing a plurality of network sessions for each of a plurality of user identifiers wherein the network sessions are initiated from a plurality of user devices over at least one network; to process the data characterizing the network sessions for a given one of the plurality of user identifiers to generate a network session profile for the given user identifier, the network session profile comprising a plurality of histograms for respective ones of a plurality of features extracted from the data characterizing the plurality of network sessions for the given user identifier; to obtain data characterizing a current network session for the given user identifier; to generate a risk score for the current network session based on one or more features extracted from the data characterizing the current network session for the given user identifier and the network session profile for the given user identifier; to compare the risk score to a threshold; and to generate an alert relating to the current session based on a result of comparing the risk score to the threshold; wherein the alert is transmitted over said at least one network to a security agent; and wherein the risk score is generated as a function of one or more feature risk scores for one or more extracted features, and the feature risk score for a given extracted feature is determined by; obtaining a value of the feature for the current session; identifying a particular one of a plurality of bins of the histogram for the given extracted feature into which the feature value falls; computing a bin probability density function for that particular bin; and generating the feature risk score as a function of the bin probability density function. - View Dependent Claims (17, 18)
-
-
19. An apparatus comprising:
-
at least one processing device comprising a processor coupled to a memory; said at least one processing device being configured; to obtain data characterizing a plurality of network sessions for each of a plurality of user identifiers wherein the network sessions are initiated from a plurality of user devices over at least one network; to process the data characterizing the network sessions for a given one of the plurality of user identifiers to generate a network session profile for the given user identifier, the network session profile comprising a plurality of histograms for respective ones of a plurality of features extracted from the data characterizing the plurality of network sessions for the given user identifier; to obtain data characterizing a current network session for the given user identifier; to generate a risk score for the current network session based on one or more features extracted from the data characterizing the current network session for the given user identifier and the network session profile for the given user identifier; to compare the risk score to a threshold; and to generate an alert relating to the current session based on a result of comparing the risk score to the threshold; wherein the alert is transmitted over said at least one network to a security agent; and wherein the risk score is generated as a function of one or more feature risk scores for one or more extracted features, and the feature risk score for a given extracted feature is determined by; obtaining a value of the feature for the current session; identifying a particular one of a plurality of bins of the histogram for the given extracted feature into which the feature value falls; computing a bin probability density function for that particular bin; and generating the feature risk score as a function of the bin probability density function. - View Dependent Claims (20, 21)
-
Specification