Network threat detection and management system based on user behavior information

US 10,412,106 B2
Filed: 03/02/2015
Issued: 09/10/2019
Est. Priority Date: 03/02/2015
Status: Active Grant

First Claim

Patent Images

1. A first device, comprising:

a memory storing instructions; and

one or more processors to execute the instructions to;

transmit one or more instructions, to a client device of a user, to deploy software on the client device;

receive, based on the software being deployed, behavior information that identifies the user and that identifies a behavior associated with the user,the behavior including an aggregation of one or more requests, from the client device, to access one or more network resources of a network;

determine whether a first model has been created,the first model, when created, including a first normal behavior pattern associated with the user,the first normal behavior pattern being an average of particular behaviors of the user during a particular period of time;

determine whether a second model has been created,the second model, when created, including a second normal behavior pattern associated with a user group to which the user belongs;

determine whether the behavior is normal by selectively comparing, based on whether at least one of the first model or the second model has been created, the behavior with the first normal behavior pattern or the second normal behavior pattern,the behavior information, that identifies the user and that identifies the behavior, being input into the first model to compare the behavior and the first normal behavior pattern when the first model has been created, andthe behavior information, that identifies the user and that identifies the behavior, being input into the second model to compare the behavior and the second normal behavior pattern when the second model has been created;

provide a first instruction to allow the client device to proceed with the behavior or provide a second instruction to disallow the client device from proceeding with the behavior based on determining whether the behavior is normal;

update, when the first model has been created and when the behavior is determined to be normal, the first model by using the behavior information, that identifies the user and that identifies the behavior, to modify the first normal behavior pattern;

update, when the second model has been created and when the behavior is determined to be normal, the second model by using the behavior information, that identifies the user and that identifies the behavior, to modify the second normal behavior pattern;

perform, when the behavior is determined to be abnormal, an action to determine which device is first to have been affected by a network threat associated with the behavior,the action including providing threat analytics,the threat analytics including map information, associated with a second device, that shows a path of affected devices associated with the network threat,

the second device being first to have been affected by the network threat according to the map information, andthe threat analytics being configured to improve detection of the network threat; and

send a third instruction to disconnect the second device from the network based on the threat analytics.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device may receive behavior information that identifies a first user, of a first set of users, in association with a behavior. The behavior may relate to one or more requests, from a client device being used by the first user, to access a network resource. The device may determine, based on a model, whether the behavior is normal. The model may include a normal behavior pattern based on behavior information associated with the first set of users. The device may provide an instruction to allow the client device to proceed with the behavior or provide an instruction to disallow the client device from proceeding with the behavior based on determining whether the behavior is normal. The device may update the model based on the behavior information that identifies the first user and that identifies the behavior.

30 Citations

View as Search Results

20 Claims

1. A first device, comprising:
- a memory storing instructions; and
  
  one or more processors to execute the instructions to;
  
  transmit one or more instructions, to a client device of a user, to deploy software on the client device;
  
  receive, based on the software being deployed, behavior information that identifies the user and that identifies a behavior associated with the user,the behavior including an aggregation of one or more requests, from the client device, to access one or more network resources of a network;
  
  determine whether a first model has been created,the first model, when created, including a first normal behavior pattern associated with the user,the first normal behavior pattern being an average of particular behaviors of the user during a particular period of time;
  
  determine whether a second model has been created,the second model, when created, including a second normal behavior pattern associated with a user group to which the user belongs;
  
  determine whether the behavior is normal by selectively comparing, based on whether at least one of the first model or the second model has been created, the behavior with the first normal behavior pattern or the second normal behavior pattern,the behavior information, that identifies the user and that identifies the behavior, being input into the first model to compare the behavior and the first normal behavior pattern when the first model has been created, andthe behavior information, that identifies the user and that identifies the behavior, being input into the second model to compare the behavior and the second normal behavior pattern when the second model has been created;
  
  provide a first instruction to allow the client device to proceed with the behavior or provide a second instruction to disallow the client device from proceeding with the behavior based on determining whether the behavior is normal;
  
  update, when the first model has been created and when the behavior is determined to be normal, the first model by using the behavior information, that identifies the user and that identifies the behavior, to modify the first normal behavior pattern;
  
  update, when the second model has been created and when the behavior is determined to be normal, the second model by using the behavior information, that identifies the user and that identifies the behavior, to modify the second normal behavior pattern;
  
  perform, when the behavior is determined to be abnormal, an action to determine which device is first to have been affected by a network threat associated with the behavior,the action including providing threat analytics,the threat analytics including map information, associated with a second device, that shows a path of affected devices associated with the network threat,
  
  the second device being first to have been affected by the network threat according to the map information, andthe threat analytics being configured to improve detection of the network threat; and
  
  send a third instruction to disconnect the second device from the network based on the threat analytics.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The first device of claim 1, where the one or more processors are further to:
    - receive normal behavior parameters that define a normal behavior; and
      
      create the first model based on the normal behavior parameters and based on the behavior information.
  - 3. The first device of claim 1, where the one or more processors, when providing the first instruction to allow the client device to proceed with the behavior or providing the second instruction to disallow the client device from proceeding with the behavior, are to:
    - provide the first instruction to allow the client device to proceed with the behavior based on the behavior being normal;
      
      orprovide the second instruction to disallow the client device from proceeding with the behavior based on the behavior being abnormal.
  - 4. The first device of claim 1, where the one or more processors are further to:
    - determine whether a difference between the second normal behavior pattern and the behavior satisfies a threshold; and
      
      where the one or more processors, when determining whether the behavior is normal, are to;
      
      determine whether the behavior is normal based on determining whether the difference satisfies the threshold,the behavior being abnormal based on the difference satisfying the threshold, andthe behavior being normal based on the difference not satisfying the threshold.
  - 5. The first device of claim 1, where the client device is a first client device, andwhere the one or more network resources include at least one of:
    - a website,a file,an email,a text message,a contacts list,a network service, orother resource associated with a network resource device or a second client device,the network resource device being a server or a traffic transfer device.
  - 6. The first device of claim 1, where the threat analytics includes at least one of:
    - graphs, orother data analysis tools that analyze one or more network threats associated with the network; and
      
      where the one or more processors are further to;
      
      receive one or more parameters associated with the threat analytics,the one or more parameters including information that identifies at least one of;
      
      a geographical area associated with the client device,a client device type associated with the client device,an operating system associated with the client device,an internet browser associated with the client device,a manufacturer associated with the client device,an educational background of the user, orthe user group to which the user belongs.
  - 7. The first device of claim 1, where the second normal behavior pattern includes one or more behaviors not associated with an attack on the one or more network resources.

8. A computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors, cause the one or more processors to;
  
  transmit an instruction, to a client device of a user, to deploy software on the client device;
  
  receive, based on the software being deployed, behavior information that identifies the user and a behavior associated with the user,the behavior including an aggregation of one or more requests, from the client device, to access one or more network resources of a network;
  
  determine whether a first model has been created,the first model, when created, including a first normal behavior pattern associated with the user,the first normal behavior pattern being an average of particular behaviors of the user during a particular period of time;
  
  determine whether a second model has been created,the second model, when created, including a second normal behavior pattern associated with a user group to which the user belongs;
  
  determine whether the behavior is normal by selectively comparing, based on whether at least one of the first model or the second model has been created, the behavior with the first normal behavior pattern or the second normal behavior pattern,the behavior information, that identifies the user and that identifies the behavior, being input into the first model to compare the behavior and the first normal behavior pattern when the first model has been created, andthe behavior information, that identifies the user and that identifies the behavior, being input into the second model to compare the behavior and the second normal behavior pattern when the second model has been created;
  
  selectively provide a first instruction to prevent the client device from proceeding with the behavior based on determining whether the behavior is normal,the first instruction being provided based on the behavior being abnormal, orthe first instruction not being provided based on the behavior being normal;
  
  perform, based on determining that the behavior is abnormal, an action to determine which device is first to have been affected by a network threat associated with the behavior,the action including providing threat analytics,the threat analytics including map information that shows a path of affected devices associated with the network threat,
  
  a second device being first to have been affected by the network threat according to the map information; and
  
  send a second instruction to disconnect the second device from the network based on the threat analytics.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable medium of claim 8, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - receive normal behavior parameters that define a normal behavior in association with a normal user; and
      
      create the first model.
  - 10. The computer-readable medium of claim 8, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - determine whether a difference between the second normal behavior pattern and the behavior satisfies a threshold; and
      
      where the one or more instructions, that cause the one or more processors to determine whether the behavior is normal, cause the one or more processors to;
      
      determine whether the behavior is normal based on determining whether the difference satisfies the threshold,the behavior being abnormal based on the difference satisfying the threshold, andthe behavior being normal based on the difference not satisfying the threshold.
  - 11. The computer-readable medium of claim 8, where the client device is a first client device andwhere the one or more network resources include:
    - a website,a file,an email,a text message,a contacts list,a network service, oranother resource associated with a network resource device or associated with a second client device.
  - 12. The computer-readable medium of claim 8, where the second normal behavior pattern includes one or more requests not associated with an attack on the one or more network resources.
  - 13. The computer-readable medium of claim 8, where the action is a first action;
    - andwhere the one or more instructions, when executed by the one or more processors, further cause the one or more processors to;
      
      perform a second action to neutralize the network threat posed by the behavior based on determining that the behavior is abnormal,the second action including shutting down a part of the network associated with the behavior.
  - 14. The computer-readable medium of claim 8, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - selectively provide a notification, which indicates a presence of the network threat, to the client device based on determining whether the behavior is normal,the notification being provided to the client device based on the behavior being abnormal, andthe notification not being provided to the client device based on the behavior being normal.

15. A method, comprising:
- transmitting, by a device, one or more instructions, to a client device of a user, to deploy software on the client device;
  
  receiving, by the device based on the software being deployed, behavior information that identifies the user and a behavior associated with the user,the behavior including an aggregation of one or more requests, from the client device, to access one or more network resources of a network;
  
  determining, by the device, whether a first model has been created,the first model, when created, including a first normal behavior pattern associated with the user,the first normal behavior pattern being an average of particular behaviors of the user during a particular period of time;
  
  determining, by the device, whether a second model has been created,the second model, when created, including a second normal behavior pattern associated with a user group to which the user belongs;
  
  determining, by the device, whether the behavior is abnormal by selectively comparing, based on whether at least one of the first model or the second model has been created, the behavior with the first normal behavior pattern or the second normal behavior pattern,the behavior information, that identifies the user and that identifies the behavior, being input into the first model to compare the behavior and the first normal behavior pattern when the first model has been created, andthe behavior information, that identifies the user and that identifies the behavior, being input into the second model to compare the behavior and the second normal behavior pattern when the second model has been created;
  
  performing, by the device and based on determining that the behavior is abnormal, an action to determine which device is first to have been affected by a network threat associated with the behavior,the action including providing threat analytics,the threat analytics including map information, associated with a patient zero device, that shows a path of affected devices associated with the network threat,the patient zero device being first to have been affected by the network threat according to the map information, andthe threat analytics being configured to improve detection of the network threat; and
  
  sending, by the device, a second instruction to disconnect the patient zero device from the network based on the threat analytics.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, where receiving the behavior information comprises:
    - receiving the behavior information based on using an export protocol or based on using a log associated with short message service or multimedia messaging service.
  - 17. The method of claim 15, where receiving the behavior information comprises:
    - receiving the behavior information from the client device or from sensors that detect behavior associated with the client device.
  - 18. The method of claim 15, where the client device is a first client device, andwhere the one or more network resources include:
    - a website,a file,an email,a text message,a contacts list,a network service, ora resource associated with a network resource device or a second client device, the network resource device being a server or a traffic transfer device.
  - 19. The method of claim 15, where the threat analytics includes big data analysis tools that analyze one or more network threats associated with the network,the big data analysis tools being capable of analyzing billions of data points;
    - andwhere the method further comprises;
      
      receiving one or more parameters associated with the threat analytics,the one or more parameters including information that identifies at least one of;
      
      a geographical area associated with the client device,a client device type associated with the client device,an operating system associated with the client device,an internet browser associated with the client device,a manufacturer associated with the client device,an educational background of the user, orthe user group to which the user belongs.
  - 20. The method of claim 15, further comprising:
    - updating, when the first model has been created, the first model based on the behavior information that identifies the user and the behavior associated with the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Srivastava, Ashok N., Das, Santanu, Shao, Hai
Primary Examiner(s)
Lemma, Samson B
Assistant Examiner(s)
Cruz-Franqui, Richard W

Application Number

US14/635,158
Publication Number

US 20160261621A1
Time in Patent Office

1,653 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

H04L 67/535   Tracking the activity of th...

H04L 69/22   Parsing or analysis of headers

Network threat detection and management system based on user behavior information

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network threat detection and management system based on user behavior information

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links