System and method for detecting anomalies including detection and removal of outliers associated with network traffic to cloud applications

US 10,326,787 B2
Filed: 02/15/2017
Issued: 06/18/2019
Est. Priority Date: 02/15/2017
Status: Active Grant

First Claim

Patent Images

1. An anomaly detection system comprising:

a processor;

a memory; and

a security application stored in the memory and including instructions, which are executable by the processor and are configured to;

collect behavior data corresponding to a plurality of users of an organization accessing cloud applications via a distributed network, wherein the behavior data includes one or more parameter(s) tracked over time for the plurality of users, and wherein the cloud applications are implemented on one or more server computer(s) of a service provider;

create a first model for the organization based on the behavior data tracked for the plurality of users;

create a second model corresponding to a first user of the plurality of users based on the one or more parameter(s) tracked for the plurality of users except the first user, wherein the second model excludes behavior data pertaining to the first user;

score the second model based on the first model to generate a first score, wherein generating the first score is performed by at least performing the following;

determining a first cumulative distribution function based on the first model;

determining a second cumulative distribution function based on the second model; and

calculating the first score as a distance between the first cumulative distribution function and the second cumulative distribution function;

determine whether the first user is an outlier based on the first score;

remove the behavior data corresponding to the first user from the first model if the first user is determined to be an outlier;

recreate the first model based on the behavior data tracked for the plurality of users except for the first user;

detect an anomaly based on the recreated first model; and

perform a countermeasure in response to detection of the anomaly.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An anomaly detection system is provided and includes a processor, a memory and a security application stored in the memory and including instructions. The instructions are for collecting behavior data corresponding to users of an organization accessing cloud applications. The behavior data includes parameters tracked over time for the users. The instructions are for: creating a first model based on the behavior data tracked for the users; creating a second model corresponding to a first user based on the parameters tracked for the users except the first user, where the second model excludes behavior data pertaining to the first user; scoring the second model based on the first model to generate a first score; determining whether the first user is an outlier based on the first score; and removing the behavior data corresponding to the first user from the first model if the first user is an outlier.

22 Citations

View as Search Results

19 Claims

1. An anomaly detection system comprising:
- a processor;
  
  a memory; and
  
  a security application stored in the memory and including instructions, which are executable by the processor and are configured to;
  
  collect behavior data corresponding to a plurality of users of an organization accessing cloud applications via a distributed network, wherein the behavior data includes one or more parameter(s) tracked over time for the plurality of users, and wherein the cloud applications are implemented on one or more server computer(s) of a service provider;
  
  create a first model for the organization based on the behavior data tracked for the plurality of users;
  
  create a second model corresponding to a first user of the plurality of users based on the one or more parameter(s) tracked for the plurality of users except the first user, wherein the second model excludes behavior data pertaining to the first user;
  
  score the second model based on the first model to generate a first score, wherein generating the first score is performed by at least performing the following;
  
  determining a first cumulative distribution function based on the first model;
  
  determining a second cumulative distribution function based on the second model; and
  
  calculating the first score as a distance between the first cumulative distribution function and the second cumulative distribution function;
  
  determine whether the first user is an outlier based on the first score;
  
  remove the behavior data corresponding to the first user from the first model if the first user is determined to be an outlier;
  
  recreate the first model based on the behavior data tracked for the plurality of users except for the first user;
  
  detect an anomaly based on the recreated first model; and
  
  perform a countermeasure in response to detection of the anomaly.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The anomaly detection system of claim 1, wherein the security application is configured to:
    - collect scores for at least some of the plurality of users; and
      
      determine whether the first user is an outlier by comparing the first score to the scores for the at least some of the plurality of users.
  - 3. The anomaly detection system of claim 1, wherein the first model and the second model are histograms.
  - 4. The anomaly detection system of claim 1, wherein the security application is configured to:
    - determine a baseline based on the behavior data of the plurality of users;
      
      determine a plurality of models, where each of the plurality of models is for a respective one of the plurality of users;
      
      score each of the plurality of models based on the baseline or the first model, wherein the plurality of models do not include the second model;
      
      determine a standard deviation and a mean based on the scores of the plurality of models; and
      
      determine whether the first user is an outlier based on the score of the second model, the standard deviation and the mean.
  - 5. The anomaly detection system of claim 1, wherein the security application is configured to calculate the first score as a distance based on a two sample Kolmogorov-Smirnov test.
  - 6. The anomaly detection system of claim 1, the security application is configured to:
    - determine a plurality of models for a finite number of the plurality of users, wherein the plurality of models include the second model;
      
      score the plurality of models to generate a plurality of scores, wherein the plurality of scores includes the first score;
      
      detect a plurality of outliers including the first user based on the plurality of scores;
      
      determine whether a number of the plurality of outliers satisfies a predetermined amount; and
      
      adjust a threshold used to detect the plurality of outliers if the number of the plurality of outliers does not satisfy the predetermined amount.
  - 7. The anomaly detection system of claim 1, wherein the security application is configured to:
    - determine a baseline based on the behavior data corresponding to the plurality of users;
      
      determine a risk value based on anomaly data associated with the detected anomaly including determining a probability that the anomaly is to occur based on the baseline; and
      
      perform the countermeasure based on the risk value.
  - 8. The anomaly detection system of claim 1, wherein:
    - the security application collects the behavior data for the plurality of users by requesting logs from at least one of a proxy, a gateway and a firewall; and
      
      the logs include fields indicating access periods of the cloud applications, Internet protocol addresses of client computers of the plurality of users, usernames of the plurality of users, names of the cloud applications, volumes of data transferred between the client computers and machines of the cloud applications, a number of failed login attempts by each of the plurality of users, and numbers of transactions between the client computers and the machines of the cloud applications.

9. An anomaly detection system comprising:
- a processor;
  
  a memory; and
  
  a security application stored in the memory and including instructions, which are executable by the processor and are configured to;
  
  collect behavior data corresponding to a plurality of client computers of an organization accessing cloud applications via a distributed network, wherein the behavior data includes one or more parameters tracked over time for the plurality of client computers, and wherein the cloud applications are implemented on one or more server computer(s) of a service provider;
  
  create a first model for the organization based on the behavior data tracked for the plurality of client computers;
  
  create a second model corresponding to a first client computer of the plurality of client computers based on the one or more parameter(s) tracked for the plurality of client computers except the first client computer, wherein the second model excludes behavior data pertaining to the first client computer;
  
  score the second model based on the first model to generate a first score, wherein generating the first score is performed by at least performing the following;
  
  determining a first cumulative distribution function based on the first model;
  
  determining a second cumulative distribution function based on the second model; and
  
  calculating the first score as a distance between the first cumulative distribution function and the second cumulative distribution function;
  
  determine whether the first client computer is an outlier based on the first score;
  
  remove the behavior data corresponding to the first client computer from the first model if the first client computer is determined to be an outlier;
  
  recreate the first model based on the behavior data tracked for the plurality of client computers except for the first client computer;
  
  detect an anomaly based on the recreated first model andperform a countermeasure in response to detection of the anomaly.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The anomaly detection system of claim 9,wherein the first model and the second model are histograms.
  - 11. The anomaly detection system of claim 9, wherein the security application is configured to:
    - determine a baseline based on the behavior data of the plurality of client computers;
      
      determine a plurality of models, where each of the plurality of models is for a respective one of the plurality of client computers;
      
      score each of the plurality of models based on the baseline or the first model, wherein the plurality of models do not include the second model;
      
      determine a standard deviation and a mean based on the scores of the plurality of models; and
      
      determine whether the first client computer is an outlier based on the score of the second model, the standard deviation and the mean.
  - 12. The anomaly detection system of claim 9, wherein the security application is configured to calculate the first score as a distance based on a two sample Kolmogorov-Smirnov test.
  - 13. The anomaly detection system of claim 9, wherein the security application is configured to:
    - determine a plurality of models for a finite number of the plurality of client computers, wherein the plurality of models include the second model;
      
      score the plurality of models to generate a plurality of scores, wherein the plurality of scores includes the first score;
      
      detect a plurality of outliers including the first client computer based on the plurality of scores;
      
      determine whether a number of the plurality of outliers satisfies a predetermined amount; and
      
      adjust a threshold used to detect the plurality of outliers if the number of the plurality of outliers does not satisfy the predetermined amount.
  - 14. The anomaly detection system of claim 9, wherein the security application is configured to:
    - determine a baseline based on the behavior data corresponding to the plurality of client computers;
      
      determine a risk value based on anomaly data associated with the detected anomaly including determining a probability that the anomaly is to occur based on the baseline; and
      
      perform the countermeasure based on the risk value.

15. One or more computer-readable hardware storage device(s) having stored thereon computer-executable instructions that are operable, when executed by one or more processor(s) of a computer system, to cause the computer system to detect an anomaly associated with access of a cloud application by causing the computer system to:
- collect behavior data corresponding to a plurality of users of an organization accessing cloud applications via a distributed network, wherein the behavior data includes one or more parameter(s) tracked over time for the plurality of users, and wherein the cloud applications are implemented on one or more server computer(s) of a service provider;
  
  create a first model for the organization based on the behavior data tracked for the plurality of users;
  
  create a second model corresponding to a first user of the plurality of users based on the one or more parameter(s) tracked for the plurality of users except the first user, wherein the second model excludes behavior data pertaining to the first user;
  
  score the second model based on the first model to generate a first score, wherein generating the first score is performed by at least performing the following;
  
  determining that the first model includes a first histogram;
  
  determining that the second model includes a second histogram; and
  
  calculating the first score by comparing the first histogram against the second histogram;
  
  determine whether the first user is an outlier based on the first score;
  
  remove the behavior data corresponding to the first user from the first model if the first user is determined to be an outlier;
  
  recreate the first model based on the behavior data tracked for the plurality of users except for the first user;
  
  detect the anomaly based on the recreated first model; and
  
  perform a countermeasure in response to detection of the anomaly.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The one or more computer-readable hardware storage device(s) of claim 15, wherein execution of the computer-executable instructions further causes the computer system to:
    - determine a first cumulative distribution function based on the first model;
      
      determine a second cumulative distribution function based on the second model; and
      
      calculate the first score as a distance between the first cumulative distribution function and the second cumulative distribution function.
  - 17. The one or more computer-readable hardware storage device(s) of claim 15, wherein execution of the computer-executable instructions further causes the computer system to:
    - determine a baseline based on the behavior data of the plurality of users;
      
      determine a plurality of models, where each of the plurality of models is for a respective one of the plurality of users;
      
      score each of the plurality of models based on the baseline or the first model, wherein the plurality of models do not include the second model;
      
      determine a standard deviation and a mean based on the scores of the plurality of models; and
      
      determine whether the first user is an outlier based on the score of the second model, the standard deviation and the mean.
  - 18. The one or more computer-readable hardware storage device(s) of claim 15, wherein the first score is calculated as a distance based on a two sample Kolmogorov-Smirnov test.
  - 19. The one or more computer-readable hardware storage device(s) of claim 15, wherein execution of the computer-executable instructions further causes the computer system to:
    - determine a plurality of models for a finite number of the plurality of users, wherein the plurality of models include the second model;
      
      score the plurality of models to generate a plurality of scores, wherein the plurality of scores includes the first score;
      
      detect a plurality of outliers including the first user based on the plurality of scores;
      
      determine whether a number of the plurality of outliers satisfies a predetermined amount; and
      
      adjust a threshold used to detect the plurality of outliers if the number of the plurality of outliers does not satisfy the predetermined amount.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Wolkov, Anton, Kaplan, Shai, Most, Yonatan, Bar Av, Ido
Primary Examiner(s)
Colin, Carl G
Assistant Examiner(s)
Little, Vance M

Application Number

US15/433,039
Publication Number

US 20180234443A1
Time in Patent Office

853 Days
Field of Search
US Class Current
CPC Class Codes

G06F 18/2415   based on parametric or prob...

G06F 18/2433   Single-class perspective, e...

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 30/20   Design optimisation, verifi...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 67/535   Tracking the activity of th...

System and method for detecting anomalies including detection and removal of outliers associated with network traffic to cloud applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

System and method for detecting anomalies including detection and removal of outliers associated with network traffic to cloud applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others