Tracking users over network hosts based on user behavior

US 10,129,271 B2
Filed: 05/28/2015
Issued: 11/13/2018
Est. Priority Date: 05/28/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a computing apparatus having connectivity to a network, analyzing data included in network traffic logs that represents behavior of active network hosts that were operating at network addresses in the network during at least one of two or more time windows;

generating, based on the analyzing;

a first set of profiles for network addresses on which the active network hosts were operating during a first time window of the two or more time windows; and

a second set of profiles for the network addresses on which the active network hosts were operating during a second time window of the two or more time windows, wherein profiles in the first set of profiles and profiles in the second set of profiles include a plurality of behavior models;

determining similarity between a first profile from the first set of profiles and a second profile from the second set of profiles by comparing, in like-kind, the plurality of behavior models from the first profile and the plurality of behavior models from the second profile; and

mapping an identity that is associated with a first network address of the network addresses that has the first profile during the first time window to a second network address of the network addresses that has the second profile during the second time window, wherein the second network address is different from the first network address, and the mapping comprises;

creating a bipartite graph with;

(a) nodes that represent the active network hosts that were operating during the first time window and the second time window; and

(b) edges between the nodes that are weighted based on the similarity;

pruning any of the edges with a weight smaller than a pruning threshold so that remaining edges have a similarity greater than or equal to the pruning threshold; and

pruning the remaining edges with an algorithm that determines maximum weight matchings in the remaining edges of the bipartite graph.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of tracking users over network hosts based on behavior includes analyzing data representing behavior of active network hosts during two or more time windows at a computing apparatus having connectivity to a network. Based on the analyzing, a profile is generated for each network host active in the network during the two or more time windows. Similarity between the profiles for the two or more time windows are determined and, based on the similarity, it may be determined that an identity associated with one of the active network hosts during a time window of the two or more time windows has changed.

17 Citations

View as Search Results

20 Claims

1. A method comprising:
- at a computing apparatus having connectivity to a network, analyzing data included in network traffic logs that represents behavior of active network hosts that were operating at network addresses in the network during at least one of two or more time windows;
  
  generating, based on the analyzing;
  
  a first set of profiles for network addresses on which the active network hosts were operating during a first time window of the two or more time windows; and
  
  a second set of profiles for the network addresses on which the active network hosts were operating during a second time window of the two or more time windows, wherein profiles in the first set of profiles and profiles in the second set of profiles include a plurality of behavior models;
  
  determining similarity between a first profile from the first set of profiles and a second profile from the second set of profiles by comparing, in like-kind, the plurality of behavior models from the first profile and the plurality of behavior models from the second profile; and
  
  mapping an identity that is associated with a first network address of the network addresses that has the first profile during the first time window to a second network address of the network addresses that has the second profile during the second time window, wherein the second network address is different from the first network address, and the mapping comprises;
  
  creating a bipartite graph with;
  
  (a) nodes that represent the active network hosts that were operating during the first time window and the second time window; and
  
  (b) edges between the nodes that are weighted based on the similarity;
  
  pruning any of the edges with a weight smaller than a pruning threshold so that remaining edges have a similarity greater than or equal to the pruning threshold; and
  
  pruning the remaining edges with an algorithm that determines maximum weight matchings in the remaining edges of the bipartite graph.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - assigning user identifiers to each of the network addresses on which the active network hosts were operating during at least one of the two or more time windows based at least on the similarity.
  - 3. The method of claim 2, wherein the user identifiers assigned to the network addresses during the first time window are from a first set of user identifiers, and the method further comprises:
    - assigning one of the user identifiers from the first set of user identifiers to the network address on which one of the active network hosts was operating during the second time window based at least on the mapping.
  - 4. The method of claim 2, wherein the user identifiers assigned to the network addresses during the first time window are from a first set of user identifiers and the method further comprises:
    - assigning the user identifiers from a second set of user identifiers to the network addresses that have profiles from the second set of profiles that are dissimilar from the profiles from the first set of profiles.
  - 5. The method of claim 1, wherein the plurality of behavior models includes at least two of:
    - a domain model describing a frequency of domain visits;
      
      an agent model describing a frequency of browser usage;
      
      ora time model describing Internet usage as a function of time.
  - 6. The method of claim 5, wherein determining similarity further comprises:
    - determining a similarity value for each comparison of like-kind behavior models by comparing data from the first profile with data from the second profile;
      
      aggregating the similarity values from each comparison to produce an aggregated similarity value; and
      
      comparing the aggregated similarity value against a threshold.
  - 7. The method of claim 1, further comprising:
    - detecting unauthorized users accessing the network based on the similarity.
  - 8. The method claim 1, wherein each of the network addresses comprises an Internet Protocol (IP) address.
  - 9. The method of claim 8, further comprising:
    - detecting that a new user is using a particular IP address based at least on the similarity.

10. An apparatus comprising:
- a network interface unit configured to enable network communications; and
  
  a processor coupled to the network interface unit, and configured to;
  
  analyze data included in network traffic logs that represents behavior of active network hosts that were operating at network addresses in a network during at least one of two or more time windows;
  
  generate, based on the analyzing;
  
  a first set of profiles for the network addresses on which the active network hosts were operating during a first time window of the two or more time windows; and
  
  a second set of profiles for the network addresses on which the active network hosts were operating during a second time window of the two or more time windows, wherein profiles in the first set of profiles and profiles in the second set of profiles include a plurality of behavior models;
  
  determine similarity between a first profile from the first set of profiles and a second profile from the second set of profiles by comparing, in like-kind, the plurality of behavior models from the first profile and the plurality of behavior models from the second profile; and
  
  map an identity that is associated with a first network address of the network addresses that has the first profile during the first time window to a second network address of the network addresses that has the second profile during the second time window, wherein the second network address is different from the first network address and the processor is configured to map by;
  
  creating a bipartite graph with;
  
  (a) nodes that represent the active network hosts that were operating during the first time window and the second time window; and
  
  (b) edges between the nodes that are weighted based on the similarity;
  
  pruning any of the edges with a weight smaller than a pruning threshold so that remaining edges have a similarity greater than or equal to the pruning threshold; and
  
  pruning the remaining edges with an algorithm that determines maximum weight matchings in the remaining edges of the bipartite graph.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The apparatus of claim 10, wherein the processor is further configured to:
    - assign user identifiers to each of the network addresses on which the active network hosts were operating during at least one of the two or more time windows based at least on the similarity.
  - 12. The apparatus of claim 11, wherein the user identifiers assigned to the network addresses during the first time window are from a first set of user identifiers, and the processor is further configured to:
    - assign the user identifiers from the first set of user identifiers to the network address on which one of the active network hosts was operating during the second time window based at least on the mapping.
  - 13. The apparatus of claim 11, wherein the user identifiers assigned to the network addresses during the first time window are from a first set of user identifiers, and the processor is further configured to:
    - assign the user identifiers from a second set of user identifiers to the network addresses that have profiles from the second set of profiles that are dissimilar from the profiles from the first set of profiles.
  - 14. The apparatus of claim 10, wherein the plurality of behavior models includes at least two of:
    - a domain model describing a frequency of domain visits;
      
      an agent model describing a frequency of browser usage;
      
      ora time model describing internet usage as a function of time.
  - 15. The apparatus of claim 14, wherein the processor is configured to determine similarity by:
    - determining a similarity value for each comparison of like-kind behavior models by comparing data from the first profile with data from the second profile;
      
      aggregating the similarity values from each comparison to produce an aggregated similarity value; and
      
      comparing the aggregated similarity value against a threshold.

16. A non-transitory computer-readable storage medium encoded with software comprising computer executable instructions and when the software is executed operable to:
- analyze data included in network traffic logs that represents behavior of active network hosts that were operating at network addresses in a network during at least one of two or more time windows;
  
  generate, based on the analyzing;
  
  a first set of profiles for the network addresses on which the active network hosts that were operating during a first time window of the two or more time windows; and
  
  a second set of profiles for the network addresses on which the active network hosts were operating during a second time window of the two or more time windows, wherein profiles in the first set of profiles and profiles in the second set of profiles include a plurality of behavior models;
  
  determine similarity between a first profile from the first set of profiles and a second profile from the second set of profiles by comparing, in like-kind, the plurality of behavior models from the first profile and the plurality of behavior models from the second; and
  
  map an identity that is associated with a first network address of the network addresses that has the first profile during the first time window to a second network address of the network addresses that has the second profile during the second time window, wherein the second network address is different from the first network address and the instructions operable to map comprise instructions operable to;
  
  create a bipartite graph with;
  
  (a) nodes that represent the active network hosts that were operating during the first time window and the second time window; and
  
  (b) edges between the nodes that are weighted based on the similarity;
  
  prune any of the edges with a weight smaller than a pruning threshold so that remaining edges have a similarity greater than or equal to the pruning threshold; and
  
  prune the remaining edges with an algorithm that determines maximum weight matchings in the remaining edges of the bipartite graph.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer-readable storage medium of claim 16, further comprising instructions operable to:
    - assign user identifiers to each of the network addresses on which the active network hosts were operating during at least one of the two or more time windows based at least on the similarity.
  - 18. The computer-readable storage medium of claim 17, wherein the user identifiers assigned to the network addresses during the first time window are from a first set of user identifiers, and the instructions are further operable to:
    - assign one of the user identifiers from the first set of user identifiers to the network address on which one of the active network hosts was operating during the second time window based at least on the mapping;
      
      orassign the user identifiers from a second set of user identifiers to the network addresses that have profiles from the second set of profiles that are dissimilar from the profiles from the first set of profiles.
  - 19. The computer-readable storage medium of claim 16, wherein the plurality of behavior models includes at least two of:
    - a domain model describing a frequency of domain visits;
      
      an agent model describing a frequency of browser usage;
      
      ora time model describing internet usage as a function of time.
  - 20. The computer-readable storage medium of claim 19, wherein the instructions operable to determine similarity include instructions operable to:
    - determine a similarity value for each comparison of like-kind behavior models by comparing data from the first profile with data from the second profile;
      
      aggregate the similarity values from each comparison to produce an aggregated similarity value; and
      
      compare the aggregated similarity value against a threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Mrkos, Jan, Grill, Martin, Kohout, Jan
Primary Examiner(s)
Popham, Jeffrey D

Application Number

US14/723,605
Publication Number

US 20160352760A1
Time in Patent Office

1,265 Days
Field of Search

726 3
US Class Current
CPC Class Codes

H04L 61/103   across network layers, e.g....

H04L 61/5014   using dynamic host configur...

H04L 63/0281   Proxies

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/02   based on web technology, e....

H04L 67/303   Terminal profiles

H04L 67/535   Tracking the activity of th...

H04W 12/37   Managing security policies ...

Tracking users over network hosts based on user behavior

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Tracking users over network hosts based on user behavior

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links