Machine-generated traffic detection (beaconing)
First Claim
1. A method comprising:
- detecting, by a computer system, outgoing traffic from a computer device, the outgoing traffic being indicative of a plurality of connection requests and being user-generated traffic or machine generated traffic;
forming, by the computer system, a plurality of groups of the traffic indicative of the plurality of connection requests;
determining, by the computer system, whether a particular group of the groups corresponds to user-generated traffic or machine generated traffic based on a periodicity of traffic indicative of connection requests determined as a function of a timing between traffic indicative of connection requests in the particular group and a plurality of connection parameters associated with the traffic indicative of connection requests in the particular group; and
responsive to a determination that the particular group is machine generated traffic, determining, by the computer system, whether the particular group of traffic indicative of connection requests represents an anomaly based on a frequency at which the particular group of traffic indicative of connection requests has occurred for the outgoing traffic.
2 Assignments
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
57 Citations
30 Claims
-
1. A method comprising:
-
detecting, by a computer system, outgoing traffic from a computer device, the outgoing traffic being indicative of a plurality of connection requests and being user-generated traffic or machine generated traffic; forming, by the computer system, a plurality of groups of the traffic indicative of the plurality of connection requests; determining, by the computer system, whether a particular group of the groups corresponds to user-generated traffic or machine generated traffic based on a periodicity of traffic indicative of connection requests determined as a function of a timing between traffic indicative of connection requests in the particular group and a plurality of connection parameters associated with the traffic indicative of connection requests in the particular group; and responsive to a determination that the particular group is machine generated traffic, determining, by the computer system, whether the particular group of traffic indicative of connection requests represents an anomaly based on a frequency at which the particular group of traffic indicative of connection requests has occurred for the outgoing traffic. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A non-transitory computer-readable storage medium storing computer-readable instructions, the instructions comprising:
-
instructions for detecting, by a computer system, outgoing traffic from a computer device, the outgoing traffic being indicative of a plurality of connection requests and being user-generated traffic or machine generated traffic; instructions for forming, by the computer system, a plurality of groups of the traffic indicative of the plurality of connection requests; instructions for determining, by the computer system, whether a particular group of the groups corresponds to user generated traffic or machine generated traffic based on a periodicity of traffic indicative of connection requests determined as a function of a timing between traffic indicative of connection requests in the particular group and a plurality of connection parameters associated with the traffic indicative of connection requests in the particular group; and instructions for determining, by the computer system and responsive to a determination that the particular group is machine generated traffic, whether the particular group of traffic indicative of connection requests represents an anomaly based on a frequency at which the particular group of traffic indicative of connection requests has occurred for the outgoing traffic. - View Dependent Claims (28, 29)
-
-
30. A system, comprising:
-
a processor; a memory having instructions executable by the processor to cause the system to; detect outgoing traffic from a computer device, the outgoing traffic being indicative of a plurality of connection requests and being user-generated traffic or machine generated traffic; form a plurality of groups of the traffic indicative of the plurality of connection requests; determine whether a particular group of the groups corresponds to user-generated traffic or machine generated traffic based on a periodicity of traffic indicative of connection requests determined as a function of a timing between traffic indicative of connection requests in the particular group and a plurality of connection parameters associated with the traffic indicative of connection requests in the particular group; and determine, responsive to a determination that the particular group is machine generated traffic, whether the particular group of traffic indicative of connection requests represents an anomaly based on a frequency at which the particular group of traffic indicative of connection requests has occurred for the outgoing traffic.
-
Specification