Peer-based abnormal host detection for enterprise security systems

US 10,367,842 B2
Filed: 02/22/2018
Issued: 07/30/2019
Est. Priority Date: 04/16/2015
Status: Active Grant

First Claim

Patent Images

1. A method for determining a risk level of a host in a network, comprising:

modeling a target host'"'"'s behavior based on historical events, which include network events and process events, recorded at the target host;

determining one or more original peer hosts having behavior similar to the target host'"'"'s behavior, including an iterative clustering process that assigns a set of initial cluster centroids and updates the centroids after assigning hosts to a closet cluster to identify peer hosts in a lateral space;

determining an anomaly score for the target host using a processor based on how the target host'"'"'s behavior changes relative to behavior of the one or more original peer hosts over time; and

performing a security management action based on the anomaly score.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for determining a risk level of a host in a network include modeling a target host'"'"'s behavior based on historical events recorded at the target host. One or more original peer hosts having behavior similar to the target host'"'"'s behavior are determined. An anomaly score for the target host is determined based on how the target host'"'"'s behavior changes relative to behavior of the one or more original peer hosts over time. A security management action is performed based on the anomaly score.

Citations

16 Claims

1. A method for determining a risk level of a host in a network, comprising:
- modeling a target host'"'"'s behavior based on historical events, which include network events and process events, recorded at the target host;
  
  determining one or more original peer hosts having behavior similar to the target host'"'"'s behavior, including an iterative clustering process that assigns a set of initial cluster centroids and updates the centroids after assigning hosts to a closet cluster to identify peer hosts in a lateral space;
  
  determining an anomaly score for the target host using a processor based on how the target host'"'"'s behavior changes relative to behavior of the one or more original peer hosts over time; and
  
  performing a security management action based on the anomaly score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein modeling the target host'"'"'s behavior comprises embedding the historical events in the latent space.
  - 3. The method of claim 2, wherein determining one or more peer hosts comprises determining a distance in the latent space between the embedded target host'"'"'s events and embedded events of other hosts.
  - 4. The method of claim 3, wherein determining one or more peer hosts comprises clustering hosts based on distance in the latent space.
  - 5. The method of claim 2, wherein embedding the historical events in the latent space comprises a negative sampling that approximates a maximized conditional probability that an event will occur at the target host.
  - 6. The method of claim 1, wherein determining the anomaly score comprises determining one or more new peer hosts and comparing the one or more new peer hosts to the one or more original peer hosts.
  - 7. The method of claim 1, wherein determining the anomaly score comprises determining a similarity between new events recorded at the target host and new events recorded at the one or more original peer hosts.
  - 8. The method of claim 1, wherein performing the security action further comprises automatically performing at least one security action selected from the group consisting of shutting down devices, stopping or restricting certain types of network communication, raising alerts to system administrators, and changing a security policy level.

9. A system for determining a risk level of a host in a network, comprising:
- a host behavior module configured to model a target host'"'"'s behavior based on historical events, which include network events and process events, recorded at the target host;
  
  a peer host module configured to determine one or more original peer hosts having behavior similar to the target host'"'"'s behavior using an iterative clustering process that assigns a set of initial cluster centroids and updates the centroids after assigning hosts to a closest cluster to identify peer hosts in a lateral space;
  
  an anomaly score module comprising a processor configured to determine an anomaly score for the target host based on how the target host'"'"'s behavior changes relative to behavior of the one or more original peer hosts over time; and
  
  a security module configured to perform a security management action based on the anomaly score.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, the host behavior module is further configured to model the target host'"'"'s behavior comprises embedding the historical events in the latent space.
  - 11. The system of claim 10, the peer host module is further configured to determine one or more peer hosts comprises determining a distance in the latent space between the embedded target host'"'"'s events and embedded events of other hosts.
  - 12. The system of claim 11, the peer host module is further configured to determine one or more peer hosts comprises clustering hosts based on distance in the latent space.
  - 13. The system of claim 10, the peer host module is further configured to embed the historical events in a latent space comprises a negative sampling that approximates a maximized conditional probability that an event will occur at the target host.
  - 14. The system of claim 9, the anomaly score module is further configured to determine the anomaly score comprises determining one or more new peer hosts and comparing the one or more new peer hosts to the one or more original peer hosts.
  - 15. The system of claim 9, the anomaly score module is further configured to determine the anomaly score comprises determining a similarity between new events recorded at the target host and new events recorded at the one or more original peer hosts.
  - 16. The system of claim 9, the security module is further configured to perform the security action further comprises automatically performing at least one security action selected from the group consisting of shutting down devices, stopping or restricting certain types of network communication, raising alerts to system administrators, and changing a security policy level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cloud BYTE LLC
Original Assignee
NEC Corporation
Inventors
Chen, Zhengzhang, Tang, LuAn, Li, Zhichun, Cao, Cheng
Primary Examiner(s)
Schwartz, Darren B

Application Number

US15/902,318
Publication Number

US 20180183824A1
Time in Patent Office

523 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Peer-based abnormal host detection for enterprise security systems

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Peer-based abnormal host detection for enterprise security systems

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links