Methods and apparatus for detecting suspicious network activity
First Claim
1. A method comprising:
- obtaining network event data for a plurality of user-server communications for a given user;
determining, using at least one processing device, a number of distinct servers said user communicated with during a predefined time window;
determining, using the at least one processing device, a number of distinct servers said user failed in authenticating to during said predefined time window; and
assigning, using the at least one processing device, a risk score to said user based on said number of distinct servers said user communicated with and said number of distinct servers said user failed in authenticating to during said predefined time window.
8 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus are provided for detecting suspicious network activity, such as in an enterprise network. An exemplary method comprises obtaining network event data for a plurality of user-server communications for a given user, determining a number of distinct servers the user communicated with during a predefined time window; determining a number of distinct servers the user failed in authenticating to during the predefined time window; and assigning a risk score to the user based on the number of distinct servers the user communicated with and the number of distinct servers the user failed in authenticating to during the predefined time window. Generally, the risk score provides a measure of an anomalousness of the user communicating with the number of servers during the predefined time window. An absolute score is optionally assigned based on an evaluation of the number of distinct servers the user communicated with during the predefined time window relative to a predefined threshold number.
10 Citations
20 Claims
-
1. A method comprising:
-
obtaining network event data for a plurality of user-server communications for a given user; determining, using at least one processing device, a number of distinct servers said user communicated with during a predefined time window; determining, using the at least one processing device, a number of distinct servers said user failed in authenticating to during said predefined time window; and assigning, using the at least one processing device, a risk score to said user based on said number of distinct servers said user communicated with and said number of distinct servers said user failed in authenticating to during said predefined time window. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system, comprising:
-
a memory; and at least one processing device, coupled to the memory, operative to implement the following steps; obtaining network event data for a plurality of user-server communications for a given user, determining a number of distinct servers said user communicated with during a predefined time window; determining a number of distinct servers said user failed in authenticating to during said predefined time window; and assigning a risk score to said user based on said number of distinct servers said user communicated with and said number of distinct servers said user failed in authenticating to during said predefined time window. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product, comprising a non-transitory machine-readable storage medium having encoded therein executable code of one or more software programs, wherein the one or more software programs when executed by at least one processing device perform the following steps:
-
obtaining network event data for a plurality of user-server communications for a given user; determining, using at least one processing device, a number of distinct servers said user communicated with during a predefined time window; determining, using the at least one processing device, a number of distinct servers said user failed in authenticating to during said predefined time window; and assigning, using the at least one processing device, a risk score to said user based on said number of distinct servers said user communicated with and said number of distinct servers said user failed in authenticating to during said predefined time window. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification