Malware communications detection
First Claim
1. A method comprising:
- receiving, by a computer system, event data associated with a communication between an internal entity within a computer network and an external entity outside the computer network;
generating, by the computer system, a plurality of entity-specific feature scores by processing the event data, wherein each of the entity-specific features scores is representative of a quantified evaluation of a level of risk associated with a particular entity, each of the feature scores generated by a different one of a plurality of different types of analyses of the event data, the particular entity being the internal entity or the external entity;
wherein the plurality of entity-specific feature scores include;
a first entity-specific feature score based on a lexical analysis of an identifier associated with the particular entity; and
a second entity-specific feature score based on an analysis of the timing or sequencing of communications by the particular entity;
generating, by the computer system, an entity profile associated with the particular entity, the entity profile including the plurality of entity-specific feature scores;
generating, by the computer system, an anomaly score based on the entity profile; and
detecting, by the computer system, an anomaly if the anomaly score satisfies a specified criterion.
2 Assignments
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
-
Citations
30 Claims
-
1. A method comprising:
-
receiving, by a computer system, event data associated with a communication between an internal entity within a computer network and an external entity outside the computer network; generating, by the computer system, a plurality of entity-specific feature scores by processing the event data, wherein each of the entity-specific features scores is representative of a quantified evaluation of a level of risk associated with a particular entity, each of the feature scores generated by a different one of a plurality of different types of analyses of the event data, the particular entity being the internal entity or the external entity; wherein the plurality of entity-specific feature scores include; a first entity-specific feature score based on a lexical analysis of an identifier associated with the particular entity; and a second entity-specific feature score based on an analysis of the timing or sequencing of communications by the particular entity; generating, by the computer system, an entity profile associated with the particular entity, the entity profile including the plurality of entity-specific feature scores; generating, by the computer system, an anomaly score based on the entity profile; and detecting, by the computer system, an anomaly if the anomaly score satisfies a specified criterion. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A system comprising:
-
a processor; and a memory unit having instructions stored thereon, which when executed by the processor cause the system to; receive event data associated with a communication between an internal entity within a computer network and an external entity outside the computer network; generate a plurality of entity-specific feature scores by processing the event data, wherein each of the entity-specific features scores is representative of a quantified evaluation of a level of risk associated with a particular entity, each of the feature scores generated by a different one of a plurality of different types of analyses of the event data, the particular entity being the internal entity or the external entity; wherein the plurality of entity-specific feature scores include; a first entity-specific feature score based on a lexical analysis of an identifier associated with the particular entity; and a second entity-specific feature score based on an analysis of the timing or sequencing of communications by the particular entity; generate an entity profile associated with the particular entity, the entity profile including the plurality of entity-specific feature scores; generate an anomaly score based on the entity profile; and detect an anomaly if the anomaly score satisfies a specified criterion.
-
-
30. A non-transient computer readable medium containing instructions for causing a computer system to:
-
receive event data associated with a communication between an internal entity within a computer network and an external entity outside the computer network; generate a plurality of entity-specific feature scores by processing the event data, wherein each of the entity-specific features scores is representative of a quantified evaluation of a level of risk associated with a particular entity, each of the feature scores generated by a different one of a plurality of different types of analyses of the event data, the particular entity being the internal entity or the external entity; wherein the plurality of entity-specific feature scores include; a first entity-specific feature score based on a lexical analysis of an identifier associated with the particular entity; and a second entity-specific feature score based on an analysis of the timing or sequencing of communications by the particular entity; generate an entity profile associated with the particular entity, the entity profile including the plurality of entity-specific feature scores; generate an anomaly score based on the entity profile; and detect an anomaly if the anomaly score satisfies a specified criterion.
-
Specification