Peer-based abnormal host detection for enterprise security systems
First Claim
Patent Images
1. A method for determining a risk level of a host in a network, comprising:
- modeling a target host'"'"'s behavior based on historical events, which include network events and process events, recorded at the target host;
determining one or more original peer hosts having behavior similar to the target host'"'"'s behavior, including an iterative clustering process that assigns a set of initial cluster centroids and updates the centroids after assigning hosts to a closet cluster to identify peer hosts in a lateral space;
determining an anomaly score for the target host using a processor based on how the target host'"'"'s behavior changes relative to behavior of the one or more original peer hosts over time; and
performing a security management action based on the anomaly score.
5 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for determining a risk level of a host in a network include modeling a target host'"'"'s behavior based on historical events recorded at the target host. One or more original peer hosts having behavior similar to the target host'"'"'s behavior are determined. An anomaly score for the target host is determined based on how the target host'"'"'s behavior changes relative to behavior of the one or more original peer hosts over time. A security management action is performed based on the anomaly score.
-
Citations
16 Claims
-
1. A method for determining a risk level of a host in a network, comprising:
-
modeling a target host'"'"'s behavior based on historical events, which include network events and process events, recorded at the target host; determining one or more original peer hosts having behavior similar to the target host'"'"'s behavior, including an iterative clustering process that assigns a set of initial cluster centroids and updates the centroids after assigning hosts to a closet cluster to identify peer hosts in a lateral space; determining an anomaly score for the target host using a processor based on how the target host'"'"'s behavior changes relative to behavior of the one or more original peer hosts over time; and performing a security management action based on the anomaly score. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for determining a risk level of a host in a network, comprising:
-
a host behavior module configured to model a target host'"'"'s behavior based on historical events, which include network events and process events, recorded at the target host; a peer host module configured to determine one or more original peer hosts having behavior similar to the target host'"'"'s behavior using an iterative clustering process that assigns a set of initial cluster centroids and updates the centroids after assigning hosts to a closest cluster to identify peer hosts in a lateral space; an anomaly score module comprising a processor configured to determine an anomaly score for the target host based on how the target host'"'"'s behavior changes relative to behavior of the one or more original peer hosts over time; and a security module configured to perform a security management action based on the anomaly score. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification