×

Rarity analysis in network security anomaly/threat detection

  • US 10,038,707 B2
  • Filed: 10/30/2015
  • Issued: 07/31/2018
  • Est. Priority Date: 08/31/2015
  • Status: Active Grant
First Claim
Patent Images

1. A method comprising:

  • analyzing, by a computer system, event data representative of data traffic associated with a computer network to identify a feature of the data traffic, the data traffic including a plurality of occurrences of the feature, each occurrence of the feature having one of a plurality of values of the feature;

    identifying, by the computer system, a set of the values whose probability of occurrence does not exceed a probability of occurrence of a particular value of the plurality of values, the set of the values being those values of the feature that have occurred not more than the number of times of the particular value;

    determining, by the computer system, a rarity score for the particular value as a function of the probability of occurrence of the set of the values;

    detecting, by the computer system, that activity of an entity on the computer network is anomalous in a security context, by determining that an occurrence of the particular value corresponds to an anomaly, based on the rarity score, wherein said determining the rarity score of the particular value and said determining that the occurrence of the particular value corresponds to an anomaly comprise executing a machine learning model at the computer system; and

    enabling, by the computer system, a targeted response to a security threat indicated by the activity by causing a display of an indication that the activity is anomalous.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×