System and method for detecting anomalies including detection and removal of outliers associated with network traffic to cloud applications
First Claim
1. An anomaly detection system comprising:
- a processor;
a memory; and
a security application stored in the memory and including instructions, which are executable by the processor and are configured to;
collect behavior data corresponding to a plurality of users of an organization accessing cloud applications via a distributed network, wherein the behavior data includes one or more parameter(s) tracked over time for the plurality of users, and wherein the cloud applications are implemented on one or more server computer(s) of a service provider;
create a first model for the organization based on the behavior data tracked for the plurality of users;
create a second model corresponding to a first user of the plurality of users based on the one or more parameter(s) tracked for the plurality of users except the first user, wherein the second model excludes behavior data pertaining to the first user;
score the second model based on the first model to generate a first score, wherein generating the first score is performed by at least performing the following;
determining a first cumulative distribution function based on the first model;
determining a second cumulative distribution function based on the second model; and
calculating the first score as a distance between the first cumulative distribution function and the second cumulative distribution function;
determine whether the first user is an outlier based on the first score;
remove the behavior data corresponding to the first user from the first model if the first user is determined to be an outlier;
recreate the first model based on the behavior data tracked for the plurality of users except for the first user;
detect an anomaly based on the recreated first model; and
perform a countermeasure in response to detection of the anomaly.
1 Assignment
0 Petitions
Accused Products
Abstract
An anomaly detection system is provided and includes a processor, a memory and a security application stored in the memory and including instructions. The instructions are for collecting behavior data corresponding to users of an organization accessing cloud applications. The behavior data includes parameters tracked over time for the users. The instructions are for: creating a first model based on the behavior data tracked for the users; creating a second model corresponding to a first user based on the parameters tracked for the users except the first user, where the second model excludes behavior data pertaining to the first user; scoring the second model based on the first model to generate a first score; determining whether the first user is an outlier based on the first score; and removing the behavior data corresponding to the first user from the first model if the first user is an outlier.
22 Citations
19 Claims
-
1. An anomaly detection system comprising:
-
a processor; a memory; and a security application stored in the memory and including instructions, which are executable by the processor and are configured to; collect behavior data corresponding to a plurality of users of an organization accessing cloud applications via a distributed network, wherein the behavior data includes one or more parameter(s) tracked over time for the plurality of users, and wherein the cloud applications are implemented on one or more server computer(s) of a service provider; create a first model for the organization based on the behavior data tracked for the plurality of users; create a second model corresponding to a first user of the plurality of users based on the one or more parameter(s) tracked for the plurality of users except the first user, wherein the second model excludes behavior data pertaining to the first user; score the second model based on the first model to generate a first score, wherein generating the first score is performed by at least performing the following; determining a first cumulative distribution function based on the first model; determining a second cumulative distribution function based on the second model; and calculating the first score as a distance between the first cumulative distribution function and the second cumulative distribution function; determine whether the first user is an outlier based on the first score; remove the behavior data corresponding to the first user from the first model if the first user is determined to be an outlier; recreate the first model based on the behavior data tracked for the plurality of users except for the first user; detect an anomaly based on the recreated first model; and perform a countermeasure in response to detection of the anomaly. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An anomaly detection system comprising:
-
a processor; a memory; and a security application stored in the memory and including instructions, which are executable by the processor and are configured to; collect behavior data corresponding to a plurality of client computers of an organization accessing cloud applications via a distributed network, wherein the behavior data includes one or more parameters tracked over time for the plurality of client computers, and wherein the cloud applications are implemented on one or more server computer(s) of a service provider; create a first model for the organization based on the behavior data tracked for the plurality of client computers; create a second model corresponding to a first client computer of the plurality of client computers based on the one or more parameter(s) tracked for the plurality of client computers except the first client computer, wherein the second model excludes behavior data pertaining to the first client computer; score the second model based on the first model to generate a first score, wherein generating the first score is performed by at least performing the following; determining a first cumulative distribution function based on the first model; determining a second cumulative distribution function based on the second model; and calculating the first score as a distance between the first cumulative distribution function and the second cumulative distribution function; determine whether the first client computer is an outlier based on the first score; remove the behavior data corresponding to the first client computer from the first model if the first client computer is determined to be an outlier; recreate the first model based on the behavior data tracked for the plurality of client computers except for the first client computer; detect an anomaly based on the recreated first model and perform a countermeasure in response to detection of the anomaly. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. One or more computer-readable hardware storage device(s) having stored thereon computer-executable instructions that are operable, when executed by one or more processor(s) of a computer system, to cause the computer system to detect an anomaly associated with access of a cloud application by causing the computer system to:
-
collect behavior data corresponding to a plurality of users of an organization accessing cloud applications via a distributed network, wherein the behavior data includes one or more parameter(s) tracked over time for the plurality of users, and wherein the cloud applications are implemented on one or more server computer(s) of a service provider; create a first model for the organization based on the behavior data tracked for the plurality of users; create a second model corresponding to a first user of the plurality of users based on the one or more parameter(s) tracked for the plurality of users except the first user, wherein the second model excludes behavior data pertaining to the first user; score the second model based on the first model to generate a first score, wherein generating the first score is performed by at least performing the following; determining that the first model includes a first histogram; determining that the second model includes a second histogram; and calculating the first score by comparing the first histogram against the second histogram; determine whether the first user is an outlier based on the first score; remove the behavior data corresponding to the first user from the first model if the first user is determined to be an outlier; recreate the first model based on the behavior data tracked for the plurality of users except for the first user; detect the anomaly based on the recreated first model; and perform a countermeasure in response to detection of the anomaly. - View Dependent Claims (16, 17, 18, 19)
-
Specification