Detecting and managing abnormal data behavior
First Claim
1. A method performed by one or more processors, the method comprising:
- continuously;
identifying one or more normal data movements performed by a particular computing device over a network;
determining a current data movement profile for the particular computing device based on one or more identified data transfers during a particular time period, the current data movement profile including one or more current data movement attributes associated with the particular computing device and defining normal data movement for the particular computing device;
updating data stored that represents the current data movement profile such that the stored data represents the current data movement profile that is regularly updated;
identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device outbound to a particular location, wherein the deviation amount specifying a percentage deviation from an amount of data transferred that triggers the data movement rule, and a corresponding current data movement attribute included in the current data movement profile for the particular computing device that indicates a violation of the data movement rule, and the data movement rule including one or more actions to be performed in response to a violation;
detecting a data movement associated with the particular computing device;
determining that the detected data movement represents an abnormal data movement in violation of the current data movement profile data movement rule; and
performing the one or more actions associated with the data movement rule upon determining that the detected data movement represents a violation of the current data movement profile data movement rule.
7 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for providing destination-specific network management are described. One example method includes determining a normal data movement profile for a computing device based on observed normal data transfer behavior by the computing device; identifying a data movement rule associated with the computing device, the data movement rule including a deviation amount, and one or more actions to take when the computing device deviates from the normal data movement profile by more than the deviation amount; detecting a data movement associated with the computing device; determining that the detected data movement exceeds the deviation amount included in the data movement rule relative to the normal data movement profile for the computing device; and performing the one or more actions associated with the data movement rule upon determining that the data movement violates the data movement rule.
-
Citations
20 Claims
-
1. A method performed by one or more processors, the method comprising:
- continuously;
identifying one or more normal data movements performed by a particular computing device over a network; determining a current data movement profile for the particular computing device based on one or more identified data transfers during a particular time period, the current data movement profile including one or more current data movement attributes associated with the particular computing device and defining normal data movement for the particular computing device; updating data stored that represents the current data movement profile such that the stored data represents the current data movement profile that is regularly updated; identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device outbound to a particular location, wherein the deviation amount specifying a percentage deviation from an amount of data transferred that triggers the data movement rule, and a corresponding current data movement attribute included in the current data movement profile for the particular computing device that indicates a violation of the data movement rule, and the data movement rule including one or more actions to be performed in response to a violation; detecting a data movement associated with the particular computing device; determining that the detected data movement represents an abnormal data movement in violation of the current data movement profile data movement rule; and performing the one or more actions associated with the data movement rule upon determining that the detected data movement represents a violation of the current data movement profile data movement rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- continuously;
-
12. A non-transitory, computer-readable medium storing instructions operable when executed to cause at least one processor to perform operations comprising:
-
continuously; identifying one or more normal data movements performed by a particular computing device over a network; determining a current data movement profile for the particular computing device based on one or more identified data transfers during a particular time period, the current data movement profile including one or more current data movement attributes associated with the particular computing device and defining normal data movement for the particular computing device; updating data stored that represents the current data movement profile such that the stored data represents the current data movement profile that is regularly updated; identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device outbound to a particular location, wherein the deviation amount specifying a percentage deviation from an amount of data transferred that triggers the data movement rule, and a corresponding current data movement attribute included in the current data movement profile for the particular computing device that indicates a violation of the data movement rule, and the data movement rule including one or more actions to be performed in response to a violation; detecting a data movement associated with the particular computing device; determining that the detected data movement represents an abnormal data movement in violation of the current data movement profile data movement rule; and performing the one or more actions associated with the data movement rule upon determining that the detected data movement represents a violation of the current data movement profile data movement rule. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A system comprising:
-
memory for storing data; and one or more hardware processors operable to perform operations comprising; continuously; identifying one or more normal data movements performed by a particular computing device over a network; determining a current data movement profile for the particular computing device based on one or more identified data transfers during a particular time period, the current data movement profile including one or more current data movement attributes associated with the particular computing device and defining normal data movement for the particular computing device; updating data stored that represents the current data movement profile such that the stored data represents the current data movement profile that is regularly updated; identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device outbound to a particular location, wherein the deviation amount specifying a percentage deviation from an amount of data transferred that triggers the data movement rule, and a corresponding current data movement attribute included in the current data movement profile for the particular computing device that indicates a violation of the data movement rule, and the data movement rule including one or more actions to be performed in response to a violation; detecting a data movement associated with the particular computing device; determining that the detected data movement represents an abnormal data movement in violation of the current data movement profile data movement rule; and performing the one or more actions associated with the data movement rule upon determining that the detected data movement represents a violation of the current data movement profile data movement rule.
-
Specification