Modeling behavior in a network using event logs
First Claim
Patent Images
1. A computer-implemented method, comprising:
- independently considering a time series of events generated by a plurality of user credentials, by a monitoring computing system, the time series of events comprising log events for each user credential, the log events comprising a client computing system, a server computing system, and an event type;
fitting Bayesian models to the time series of events, by the monitoring computing system, for each of the plurality of user credentials;
determining, by the monitoring computing system, p-values for the client computing system, the server computing system, and the event type for each of the plurality of user credentials based on the respective fitted Bayesian model;
combining the determined p-values, by the monitoring computing system, to obtain a full posterior predictive p-value or an overall p-value;
checking, by the computing system, whether an event generated for a given user credential is anomalous with respect to the respective full posterior predictive p-value or overall p-value for that given user credential; and
when the event for the given user credential is anomalous based on the full posterior predictive p-value or overall p-value, flagging the given user credential as associated with anomalous behavior, by the monitoring computing system.
4 Assignments
0 Petitions
Accused Products
Abstract
A framework is provided for modeling the activity surrounding user credentials and/or machine level activity on a computer network using computer event logs by viewing the logs attributed to each user as a multivariate data stream. The methodology performs well in detecting compromised user credentials at a very low false positive rate. Such a methodology may detect both users of compromised credentials by external actors and otherwise authorized users who have begun engaging in malicious activity.
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
independently considering a time series of events generated by a plurality of user credentials, by a monitoring computing system, the time series of events comprising log events for each user credential, the log events comprising a client computing system, a server computing system, and an event type; fitting Bayesian models to the time series of events, by the monitoring computing system, for each of the plurality of user credentials; determining, by the monitoring computing system, p-values for the client computing system, the server computing system, and the event type for each of the plurality of user credentials based on the respective fitted Bayesian model; combining the determined p-values, by the monitoring computing system, to obtain a full posterior predictive p-value or an overall p-value; checking, by the computing system, whether an event generated for a given user credential is anomalous with respect to the respective full posterior predictive p-value or overall p-value for that given user credential; and when the event for the given user credential is anomalous based on the full posterior predictive p-value or overall p-value, flagging the given user credential as associated with anomalous behavior, by the monitoring computing system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-implemented method, comprising:
-
independently considering, by a monitoring computing system, a time series of machine level events generated by a plurality of monitored computing systems in a network, the time series of machine level events comprising log events for the plurality of monitored computing systems in the network, the log events comprising a client computing system, a server computing system, and an event type; fitting Bayesian models to the time series of events, by the monitoring computing system, for each of the plurality of monitored computing systems in the network; determining, by the monitoring computing system, p-values for the client computing system, the server computing system, and the event type for each of the plurality of machine level events based on the respective fitted Bayesian model; combining the determined p-values, by the monitoring computing system, to obtain a full posterior predictive p-value or an overall p-value; checking, by the monitoring computing system, whether an event generated for a given monitored computing system is anomalous with respect to the respective full posterior predictive p-value or overall p-value; and when the event is anomalous based on the full posterior predictive p-value or overall p-value, flagging the monitored computing system associated with the anomalous event as exhibiting anomalous behavior, by the monitoring computing system. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A computer-implemented method, comprising:
-
independently considering, by a computing system, a time series of events generated by a plurality of user credentials and a plurality of monitored computing systems in a network, the time series of events comprising log events for each user credential and each monitored computing system of the plurality of monitored computing systems, the log events comprising a client computing system, a server computing system, and an event type; fitting Bayesian models to the time series of events for each of the plurality of user credentials and each of the plurality of monitored computing systems in the network; determining, by the monitoring computing system, p-values for the client computing system, the server computing system, and the event type for each of the plurality of user credentials and each of the plurality of machine level events based on the respective fitted Bayesian model; combining the determined p-values, by the monitoring computing system, to obtain a full posterior predictive p-value or an overall p-value; checking, by the computing system, whether an event generated for a given user credential or a given monitored computing system of the plurality of monitored computing systems is anomalous with respect to the respective full posterior predictive p-value or overall p-value for the given user credential or machine level event; and when the event is anomalous based on the full posterior predictive p-value or overall p-value, flagging, by the monitoring computing system, the given user credential or the given monitored computing system of the plurality of monitored computing systems as associated with anomalous behavior. - View Dependent Claims (18, 19, 20)
-
Specification