×

Automated detection of session-based access anomalies in a computer network through processing of session data

  • US 10,003,607 B1
  • Filed: 03/24/2016
  • Issued: 06/19/2018
  • Est. Priority Date: 03/24/2016
  • Status: Active Grant
First Claim
Patent Images

1. A method for automated detection of access anomalies, the method comprising steps of:

  • obtaining data characterizing a plurality of network sessions for each of a plurality of user identifiers wherein the network sessions are initiated from a plurality of user devices over at least one network;

    processing the data characterizing the network sessions for a given one of the plurality of user identifiers to generate a network session profile for the given user identifier, the network session profile comprising a plurality of histograms for respective ones of a plurality of features extracted at least in part from the data characterizing the plurality of network sessions for the given user identifier;

    obtaining data characterizing a current network session for the given user identifier;

    generating a risk score for the current network session based on one or more features extracted from the data characterizing the current network session for the given user identifier and the network session profile for the given user identifier;

    comparing the risk score to a threshold; and

    generating an alert relating to the current session based on a result of comparing the risk score to the threshold;

    wherein the alert is transmitted over said at least one network to a security agent;

    wherein the risk score is generated as a function of one or more feature risk scores for one or more extracted features, and the feature risk score for a given extracted feature is determined by;

    obtaining a value of the feature for the current session;

    identifying a particular one of a plurality of bins of the histogram for the given extracted feature into which the feature value falls;

    computing a bin probability density function for that particular bin; and

    generating the feature risk score as a function of the bin probability density function; and

    wherein the steps are performed by at least one processing device comprising a processor coupled to a memory.

View all claims
  • 9 Assignments
Timeline View
Assignment View
    ×
    ×