Network session based user behavior pattern analysis and associated anomaly detection and verification

US 10,341,391 B1
Filed: 05/16/2016
Issued: 07/02/2019
Est. Priority Date: 05/16/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising steps of:

obtaining data characterizing a plurality of network sessions for a given user identifier wherein the network sessions are initiated from one or more user devices over at least one network;

extracting features from the obtained data;

detecting at least one potentially anomalous network session among the plurality of network sessions for the given user identifier by applying the extracted features to a support vector machine model for the given user identifier; and

applying a rules-based verification process to the detected potentially anomalous network session in order to verify that the detected potentially anomalous network session is an anomalous network session;

generating an alert based at least in part on one or more results of the rules-based verification process;

automatically taking one or more remedial actions over the at least one network relating to the anomalous network session based at least in part on at least one of the one or more results of the rules-based verification process; and

updating the support vector machine model for the given user identifier as part of an unsupervised learning process;

wherein updating the support vector machine model for the given user identifier comprises;

classifying a given one of the network sessions as a non-anomalous network session; and

incorporating the extracted features of the given network session and its classification as a non-anomalous network session into the support vector machine model as a new observation;

wherein the alert is transmitted over said at least one network to a security agent;

wherein the support vector machine model for the given user identifier utilizes a designated function to determine a decision boundary separating normal network sessions within a learned class defining a behavior pattern for the given user identifier from potentially anomalous network sessions not within the learned class, by projecting the data characterizing the plurality of network sessions for the given user identifier as respective data points plotted relative to an origin, the decision boundary separating the plotted data points into a first region comprising the origin and a first subset of the data points representing the potentially anomalous network sessions and a second region comprising a second subset of the data points representing the normal network sessions;

wherein the support vector machine model for the given user identifier is one of a plurality of distinct support vector machine models maintained for respective ones of a plurality of distinct user identifiers, with automated detection of anomalous network sessions for different ones of the distinct user identifiers being based at least in part on respective different ones of the distinct support vector machine models; and

wherein the steps are performed by at least one processing device comprising a processor coupled to a memory.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processing device in one embodiment comprises a processor coupled to a memory and is configured to obtain data characterizing a plurality of network sessions for a given user identifier. The network sessions are initiated from one or more user devices over at least one network and may comprise respective virtual private network (VPN) sessions. The processing device is further configured to extract features from the obtained data, to detect at least one potentially anomalous network session among the plurality of network sessions for the given user identifier by applying the extracted features to a support vector machine model, and to apply a rules-based verification process to the detected potentially anomalous network session in order to verify that the detected potentially anomalous network session is an anomalous network session. An alert is generated based on a result of the rules-based verification process and transmitted to a security agent.

87 Citations

View as Search Results

20 Claims

1. A method comprising steps of:
- obtaining data characterizing a plurality of network sessions for a given user identifier wherein the network sessions are initiated from one or more user devices over at least one network;
  
  extracting features from the obtained data;
  
  detecting at least one potentially anomalous network session among the plurality of network sessions for the given user identifier by applying the extracted features to a support vector machine model for the given user identifier; and
  
  applying a rules-based verification process to the detected potentially anomalous network session in order to verify that the detected potentially anomalous network session is an anomalous network session;
  
  generating an alert based at least in part on one or more results of the rules-based verification process;
  
  automatically taking one or more remedial actions over the at least one network relating to the anomalous network session based at least in part on at least one of the one or more results of the rules-based verification process; and
  
  updating the support vector machine model for the given user identifier as part of an unsupervised learning process;
  
  wherein updating the support vector machine model for the given user identifier comprises;
  
  classifying a given one of the network sessions as a non-anomalous network session; and
  
  incorporating the extracted features of the given network session and its classification as a non-anomalous network session into the support vector machine model as a new observation;
  
  wherein the alert is transmitted over said at least one network to a security agent;
  
  wherein the support vector machine model for the given user identifier utilizes a designated function to determine a decision boundary separating normal network sessions within a learned class defining a behavior pattern for the given user identifier from potentially anomalous network sessions not within the learned class, by projecting the data characterizing the plurality of network sessions for the given user identifier as respective data points plotted relative to an origin, the decision boundary separating the plotted data points into a first region comprising the origin and a first subset of the data points representing the potentially anomalous network sessions and a second region comprising a second subset of the data points representing the normal network sessions;
  
  wherein the support vector machine model for the given user identifier is one of a plurality of distinct support vector machine models maintained for respective ones of a plurality of distinct user identifiers, with automated detection of anomalous network sessions for different ones of the distinct user identifiers being based at least in part on respective different ones of the distinct support vector machine models; and
  
  wherein the steps are performed by at least one processing device comprising a processor coupled to a memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein the network sessions comprise respective virtual private network (VPN) sessions.
  - 3. The method of claim 1 wherein the support vector machine model comprises a one-class support vector machine model.
  - 4. The method of claim 1 wherein the extracted features of a particular one of the network sessions for the given user identifier comprise a device identifier, an external IP address, an internal IP address, a session start time, a session duration, a number of bytes received during the session and a number of bytes sent during the session.
  - 5. The method of claim 4 wherein the extracted features of the particular network session for the given user identifier further comprise one or more derived features comprising at least a subset of latitude, longitude, location, region, country, displacement rate, download rate and upload rate.
  - 6. The method of claim 1 wherein the given network session classified as a non-anomalous network session comprises one of the plurality of sessions that is not determined to be a potentially anomalous network session.
  - 7. The method of claim 1 wherein the given network session classified as a non-anomalous network session comprises one of the plurality of sessions that is initially determined to be an anomalous network session but wherein that determination is subsequently characterized as a false positive.
  - 8. The method of claim 1 wherein the detected potentially anomalous network session comprises a particular one of the plurality of network sessions that deviates from the behavior pattern of the given user identifier as characterized by the support vector machine model for the given user identifier.
  - 9. The method of claim 1 wherein the support vector machine model utilizes a Gaussian kernel function to determine the decision boundary separating normal network sessions within the learned class defining the behavior pattern for the given user identifier from potentially anomalous network sessions not within the learned class.
  - 10. The method of claim 1 wherein the extracting, detecting, applying and generating steps are applied to a current one of the plurality of network sessions for the given user identifier and wherein previous ones of the plurality of network sessions for the given user identifier are utilized to generate the support vector machine module for the given user identifier.
  - 11. The method of claim 1 wherein the rules-based verification process comprises at least a subset of the following rules:
    - a rule that indicates an anomaly responsive to a network session being initiated from a user device not previously associated with the user identifier;
      
      a rule that indicates an anomaly responsive to a network session being initiated from a country not previously associated with the user identifier;
      
      a rule that indicates an anomaly responsive to a network session being initiated from a restricted country;
      
      a rule that indicates an anomaly responsive to a network session being initiated for an inactive user identifier;
      
      a rule that indicates an anomaly responsive to an abnormal amount of data being downloaded during a network session;
      
      a rule that indicates an anomaly responsive to an abnormal amount of data being uploaded during a network session;
      
      a rule that indicates an anomaly responsive to multiple overlapping network sessions being initiated from the same user device at different locations;
      
      a rule that indicates an anomaly responsive to multiple overlapping network sessions being initiated from different user devices at different locations;
      
      a rule that indicates an anomaly responsive to a second network session being initiated from the same user device from which a first network session is initiated where the first and second network sessions are initiated in respective first and second locations that are more than a threshold distance apart;
      
      a rule that indicates an anomaly responsive to more than a threshold number of network sessions being active in a specified time interval;
      
      a rule that indicates an anomaly responsive to a threshold number of network sessions having substantially the same duration; and
      
      a rule that indicates an anomaly responsive to a threshold number of network sessions having substantially the same start time.
  - 12. The method of claim 1 wherein an urgency level of the alert is increased responsive to the user identifier falling into a designated group of user identifiers.

13. A non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing device causes said at least one processing device:
- to obtain data characterizing a plurality of network sessions for a given user identifier wherein the network sessions are initiated from one or more user devices over at least one network;
  
  to extract features from the obtained data;
  
  to detect at least one potentially anomalous network session among the plurality of network sessions for the given user identifier by applying the extracted features to a support vector machine model for the given user identifier; and
  
  to apply a rules-based verification process to the detected potentially anomalous network session in order to verify that the detected potentially anomalous network session is an anomalous network session;
  
  to generate an alert based at least in part on one or more results of the rules-based verification process;
  
  to automatically take one or more remedial actions over the at least one network relating to the anomalous network session based at least in part on at least one of the one or more results of the rules-based verification process; and
  
  to update the support vector machine model for the given user identifier as part of an unsupervised learning process;
  
  wherein updating the support vector machine model for the given user identifier comprises;
  
  classifying a given one of the network sessions as a non-anomalous network session; and
  
  incorporating the extracted features of the given network session and its classification as a non-anomalous network session into the support vector machine model as a new observation;
  
  wherein the alert is transmitted over said at least one network to a security agent;
  
  wherein the support vector machine model for the given user identifier utilizes a designated function to determine a decision boundary separating normal network sessions within a learned class defining a behavior pattern for the given user identifier from potentially anomalous network sessions not within the learned class, by projecting the data characterizing the plurality of network sessions for the given user identifier as respective data points plotted relative to an origin, the decision boundary separating the plotted data points into a first region comprising the origin and a first subset of the data points representing the potentially anomalous network sessions and a second region comprising a second subset of the data points representing the normal network sessions; and
  
  wherein the support vector machine model for the given user identifier is one of a plurality of distinct support vector machine models maintained for respective ones of a plurality of distinct user identifiers, with automated detection of anomalous network sessions for different ones of the distinct user identifiers being based at least in part on respective different ones of the distinct support vector machine models.
- View Dependent Claims (14, 15)
- - 14. The processor-readable storage medium of claim 13 wherein the detected potentially anomalous network session comprises a particular one of the plurality of network sessions that deviates from the behavior pattern of the given user identifier as characterized by the support vector machine model for the given user identifier.
  - 15. The processor-readable storage medium of claim 13 wherein the support vector machine model utilizes a Gaussian kernel function to determine the decision boundary separating normal network sessions within the learned class defining the behavior pattern for the given user identifier from potentially anomalous network sessions not within the learned class.

16. An apparatus comprising:
- at least one processing device comprising a processor coupled to a memory;
  
  said at least one processing device being configured;
  
  to obtain data characterizing a plurality of network sessions for a given user identifier wherein the network sessions are initiated from one or more user devices over at least one network;
  
  to extract features from the obtained data;
  
  to detect at least one potentially anomalous network session among the plurality of network sessions for the given user identifier by applying the extracted features to a support vector machine model for the given user identifier; and
  
  to apply a rules-based verification process to the detected potentially anomalous network session in order to verify that the detected potentially anomalous network session is an anomalous network session;
  
  to generate an alert based at least in part on one or more results of the rules-based verification process; and
  
  to automatically take one or more remedial actions over the at least one network relating to the anomalous network session based at least in part on at least one of the one or more results of the rules-based verification process; and
  
  to update the support vector machine model for the given user identifier as part of an unsupervised learning process;
  
  wherein updating the support vector machine model for the given user identifier comprises;
  
  classifying a given one of the network sessions as a non-anomalous network session; and
  
  incorporating the extracted features of the given network session and its classification as a non-anomalous network session into the support vector machine model as a new observation;
  
  wherein the alert is transmitted over said at least one network to a security agent;
  
  wherein the support vector machine model for the given user identifier utilizes a designated function to determine a decision boundary separating normal network sessions within a learned class defining a behavior pattern for the given user identifier from potentially anomalous network sessions not within the learned class, by projecting the data characterizing the plurality of network sessions for the given user identifier as respective data points plotted relative to an origin, the decision boundary separating the plotted data points into a first region comprising the origin and a first subset of the data points representing the potentially anomalous network sessions and a second region comprising a second subset of the data points representing the normal network sessions; and
  
  wherein the support vector machine model for the given user identifier is one of a plurality of distinct support vector machine models maintained for respective ones of a plurality of distinct user identifiers, with automated detection of anomalous network sessions for different ones of the distinct user identifiers being based at least in part on respective different ones of the distinct support vector machine models.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16 wherein the detected potentially anomalous network session comprises a particular one of the plurality of network sessions that deviates from the behavior pattern of the given user identifier as characterized by the support vector machine model for the given user identifier.
  - 18. The apparatus of claim 16 wherein the support vector machine model utilizes a Gaussian kernel function to determine the decision boundary separating normal network sessions within the learned class defining the behavior pattern for the given user identifier from potentially anomalous network sessions not within the learned class.
  - 19. The apparatus of claim 16 wherein the given network session classified as a non-anomalous network session comprises one of the plurality of sessions that is not determined to be a potentially anomalous network session.
  - 20. The apparatus of claim 16 wherein the given network session classified as a non-anomalous network session comprises one of the plurality of sessions that is initially determined to be an anomalous network session but wherein that determination is subsequently characterized as a false positive.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Pandey, Shikhar, Putturaya, Kartikeya, Venkata, Chandra Sekar Rao Munaganuri, Abhishek, Gupta
Primary Examiner(s)
Schmidt, Karl L

Application Number

US15/155,475
Time in Patent Office

1,142 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0272   Virtual private networks

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/1097   for distributed storage of ...

H04L 67/14   Session management for real...

H04L 67/141   Setup of application sessio...

H04L 67/143   Termination or inactivation...

Network session based user behavior pattern analysis and associated anomaly detection and verification

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

87 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network session based user behavior pattern analysis and associated anomaly detection and verification

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links