System and method for determining network security threats
First Claim
1. A computer-implemented method for determining network threats for a computer network, the method comprising:
- obtaining, for each of a plurality of entities operating in a computer network being monitored for network security, a respective observed metric value for each of a plurality of metrics that each represent a respective behavior exhibited by the entity, wherein the plurality of entities comprise at least one or more users or one or more host computers;
for each of the plurality of metrics,training, using information about typical entity behavior in the monitored network from various sources, a respective machine learning model that is specific to the metric and that models an expected metric value for the metric;
for each of the plurality of entities and for each of the plurality of metrics;
determining, using the trained machine learning model that is specific to the metric and an anomaly score for the observed metric value for the entity that represents how anomalous the observed metric value is relative to an expected metric value for the metric by;
determining a probability of the observed metric value occurring in the computer network being monitored using the trained machine learning model that is specific to the metric; and
determining the anomaly score from the determined probability of the observed metric value occurring in the computer network being monitored, the anomaly score indicating how anomalous the observed metric value for the entity is relative to an expected metric value for the specific metricaggregating the anomaly scores from the machine learning models specific to the respective metrics, to generate a respective threat score for each entity; and
determining detecting potential network threats based on the threat scores of the entities.
7 Assignments
0 Petitions
Accused Products
Abstract
System and methods for determining network threats are disclosed. For each entity operating in a network being monitored for network security, an example method obtains an observed metric value for each metric that characterizes actions performed by the entity. Each observed metric value may be input into a machine learning model that is specific to the metric in order to determine an anomaly score for the observed metric value that represents how anomalous the observed metric value is relative to an expected metric value for the metric. A threat score may then be determined for each entity from the anomaly scores for each metric. A security threat presentation that identifies one or more high-scoring entities according to the threat scores may be generated and provided for display on a user device.
17 Citations
21 Claims
-
1. A computer-implemented method for determining network threats for a computer network, the method comprising:
-
obtaining, for each of a plurality of entities operating in a computer network being monitored for network security, a respective observed metric value for each of a plurality of metrics that each represent a respective behavior exhibited by the entity, wherein the plurality of entities comprise at least one or more users or one or more host computers; for each of the plurality of metrics, training, using information about typical entity behavior in the monitored network from various sources, a respective machine learning model that is specific to the metric and that models an expected metric value for the metric; for each of the plurality of entities and for each of the plurality of metrics; determining, using the trained machine learning model that is specific to the metric and an anomaly score for the observed metric value for the entity that represents how anomalous the observed metric value is relative to an expected metric value for the metric by; determining a probability of the observed metric value occurring in the computer network being monitored using the trained machine learning model that is specific to the metric; and determining the anomaly score from the determined probability of the observed metric value occurring in the computer network being monitored, the anomaly score indicating how anomalous the observed metric value for the entity is relative to an expected metric value for the specific metric aggregating the anomaly scores from the machine learning models specific to the respective metrics, to generate a respective threat score for each entity; and determining detecting potential network threats based on the threat scores of the entities. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
one or more computers; and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising; obtaining, for each of a plurality of entities operating in a computer network being monitored for network security, a respective observed metric value for each of a plurality of metrics that each represent a respective behavior exhibited by the entity, wherein the plurality of entities comprise one or more users or host computers; for each of the plurality of metrics, training using information about typical entity behavior in the monitored network from various sources, a respective machine learning model that is specific to the metric and that models an expected metric value for the metric; for each of the plurality of entities and for each of the plurality of metrics; determining, using the trained machine learning model that is specific to the metric and, an anomaly score for the observed metric value that represents how anomalous the observed metric value for the entity is relative to an expected metric value for the metric by; determining a probability of the observed metric value occurring in the computer network being monitored using the trained machine learning model that is specific to the metric; and determining the anomaly score from the determined probability of the observed metric value occurring in the computer network being monitored, the anomaly score indicating how anomalous the observed metric value is relative to an expected metric value for the specific metric, aggregating the anomaly scores from the machine learning models specific to the respective metrics to generate a respective threat score for each entity; and detecting potential network threats based on the threat scores of the entities. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. One or more non-transitory computer-readable storage media having instructions stored thereon that, when executed by one or more processing devices, cause the processing devices to perform operations comprising:
-
obtaining, for each of a plurality of entities operating in a computer network being monitored for network security, a respective observed metric value for each of a plurality of metrics that each represent a respective behavior exhibited by the entity, wherein the plurality of entities comprise one or more users or one or more host computers; for each of the plurality of metrics, training using information about typical entity behavior in the monitored network from various sources, a respective machine learning model that is specific to the metric and that models an expected metric value for the metric; for each of the plurality of entities and for each of the plurality of metrics; determining, using the trained machine learning model that is specific to the metric and, an anomaly score for the observed metric value for the entity that represents how anomalous the observed metric value is relative to an expected metric value for the metric by; determining a probability of the observed metric value occurring in the computer network being monitored using the trained machine learning model that is specific to the metric; and determining the anomaly score from the determined probability of the observed metric value occurring in the computer network being monitored, the anomaly score indicating how anomalous the observed metric value for the entity is relative to an expected metric value for the specific metric; aggregating the anomaly scores, from the machine learning models specific to the respective metrics to generate a respective threat score for each entity; and detecting potential network threats based on the threat scores of the entities. - View Dependent Claims (21)
-
Specification