Network threat detection and management system based on user behavior information
First Claim
1. A first device, comprising:
- a memory storing instructions; and
one or more processors to execute the instructions to;
transmit one or more instructions, to a client device of a user, to deploy software on the client device;
receive, based on the software being deployed, behavior information that identifies the user and that identifies a behavior associated with the user,the behavior including an aggregation of one or more requests, from the client device, to access one or more network resources of a network;
determine whether a first model has been created,the first model, when created, including a first normal behavior pattern associated with the user,the first normal behavior pattern being an average of particular behaviors of the user during a particular period of time;
determine whether a second model has been created,the second model, when created, including a second normal behavior pattern associated with a user group to which the user belongs;
determine whether the behavior is normal by selectively comparing, based on whether at least one of the first model or the second model has been created, the behavior with the first normal behavior pattern or the second normal behavior pattern,the behavior information, that identifies the user and that identifies the behavior, being input into the first model to compare the behavior and the first normal behavior pattern when the first model has been created, andthe behavior information, that identifies the user and that identifies the behavior, being input into the second model to compare the behavior and the second normal behavior pattern when the second model has been created;
provide a first instruction to allow the client device to proceed with the behavior or provide a second instruction to disallow the client device from proceeding with the behavior based on determining whether the behavior is normal;
update, when the first model has been created and when the behavior is determined to be normal, the first model by using the behavior information, that identifies the user and that identifies the behavior, to modify the first normal behavior pattern;
update, when the second model has been created and when the behavior is determined to be normal, the second model by using the behavior information, that identifies the user and that identifies the behavior, to modify the second normal behavior pattern;
perform, when the behavior is determined to be abnormal, an action to determine which device is first to have been affected by a network threat associated with the behavior,the action including providing threat analytics,the threat analytics including map information, associated with a second device, that shows a path of affected devices associated with the network threat,
the second device being first to have been affected by the network threat according to the map information, andthe threat analytics being configured to improve detection of the network threat; and
send a third instruction to disconnect the second device from the network based on the threat analytics.
1 Assignment
0 Petitions
Accused Products
Abstract
A device may receive behavior information that identifies a first user, of a first set of users, in association with a behavior. The behavior may relate to one or more requests, from a client device being used by the first user, to access a network resource. The device may determine, based on a model, whether the behavior is normal. The model may include a normal behavior pattern based on behavior information associated with the first set of users. The device may provide an instruction to allow the client device to proceed with the behavior or provide an instruction to disallow the client device from proceeding with the behavior based on determining whether the behavior is normal. The device may update the model based on the behavior information that identifies the first user and that identifies the behavior.
30 Citations
20 Claims
-
1. A first device, comprising:
-
a memory storing instructions; and one or more processors to execute the instructions to; transmit one or more instructions, to a client device of a user, to deploy software on the client device; receive, based on the software being deployed, behavior information that identifies the user and that identifies a behavior associated with the user, the behavior including an aggregation of one or more requests, from the client device, to access one or more network resources of a network; determine whether a first model has been created, the first model, when created, including a first normal behavior pattern associated with the user, the first normal behavior pattern being an average of particular behaviors of the user during a particular period of time; determine whether a second model has been created, the second model, when created, including a second normal behavior pattern associated with a user group to which the user belongs; determine whether the behavior is normal by selectively comparing, based on whether at least one of the first model or the second model has been created, the behavior with the first normal behavior pattern or the second normal behavior pattern, the behavior information, that identifies the user and that identifies the behavior, being input into the first model to compare the behavior and the first normal behavior pattern when the first model has been created, and the behavior information, that identifies the user and that identifies the behavior, being input into the second model to compare the behavior and the second normal behavior pattern when the second model has been created; provide a first instruction to allow the client device to proceed with the behavior or provide a second instruction to disallow the client device from proceeding with the behavior based on determining whether the behavior is normal; update, when the first model has been created and when the behavior is determined to be normal, the first model by using the behavior information, that identifies the user and that identifies the behavior, to modify the first normal behavior pattern; update, when the second model has been created and when the behavior is determined to be normal, the second model by using the behavior information, that identifies the user and that identifies the behavior, to modify the second normal behavior pattern; perform, when the behavior is determined to be abnormal, an action to determine which device is first to have been affected by a network threat associated with the behavior, the action including providing threat analytics, the threat analytics including map information, associated with a second device, that shows a path of affected devices associated with the network threat,
the second device being first to have been affected by the network threat according to the map information, andthe threat analytics being configured to improve detection of the network threat; and send a third instruction to disconnect the second device from the network based on the threat analytics. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors, cause the one or more processors to; transmit an instruction, to a client device of a user, to deploy software on the client device; receive, based on the software being deployed, behavior information that identifies the user and a behavior associated with the user, the behavior including an aggregation of one or more requests, from the client device, to access one or more network resources of a network; determine whether a first model has been created, the first model, when created, including a first normal behavior pattern associated with the user, the first normal behavior pattern being an average of particular behaviors of the user during a particular period of time; determine whether a second model has been created, the second model, when created, including a second normal behavior pattern associated with a user group to which the user belongs; determine whether the behavior is normal by selectively comparing, based on whether at least one of the first model or the second model has been created, the behavior with the first normal behavior pattern or the second normal behavior pattern, the behavior information, that identifies the user and that identifies the behavior, being input into the first model to compare the behavior and the first normal behavior pattern when the first model has been created, and the behavior information, that identifies the user and that identifies the behavior, being input into the second model to compare the behavior and the second normal behavior pattern when the second model has been created; selectively provide a first instruction to prevent the client device from proceeding with the behavior based on determining whether the behavior is normal, the first instruction being provided based on the behavior being abnormal, or the first instruction not being provided based on the behavior being normal; perform, based on determining that the behavior is abnormal, an action to determine which device is first to have been affected by a network threat associated with the behavior, the action including providing threat analytics, the threat analytics including map information that shows a path of affected devices associated with the network threat,
a second device being first to have been affected by the network threat according to the map information; andsend a second instruction to disconnect the second device from the network based on the threat analytics. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A method, comprising:
-
transmitting, by a device, one or more instructions, to a client device of a user, to deploy software on the client device; receiving, by the device based on the software being deployed, behavior information that identifies the user and a behavior associated with the user, the behavior including an aggregation of one or more requests, from the client device, to access one or more network resources of a network; determining, by the device, whether a first model has been created, the first model, when created, including a first normal behavior pattern associated with the user, the first normal behavior pattern being an average of particular behaviors of the user during a particular period of time; determining, by the device, whether a second model has been created, the second model, when created, including a second normal behavior pattern associated with a user group to which the user belongs; determining, by the device, whether the behavior is abnormal by selectively comparing, based on whether at least one of the first model or the second model has been created, the behavior with the first normal behavior pattern or the second normal behavior pattern, the behavior information, that identifies the user and that identifies the behavior, being input into the first model to compare the behavior and the first normal behavior pattern when the first model has been created, and the behavior information, that identifies the user and that identifies the behavior, being input into the second model to compare the behavior and the second normal behavior pattern when the second model has been created; performing, by the device and based on determining that the behavior is abnormal, an action to determine which device is first to have been affected by a network threat associated with the behavior, the action including providing threat analytics, the threat analytics including map information, associated with a patient zero device, that shows a path of affected devices associated with the network threat, the patient zero device being first to have been affected by the network threat according to the map information, and the threat analytics being configured to improve detection of the network threat; and sending, by the device, a second instruction to disconnect the patient zero device from the network based on the threat analytics. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification