Methods and apparatus for detecting suspicious network activity

US 10,425,432 B1
Filed: 06/24/2016
Issued: 09/24/2019
Est. Priority Date: 06/24/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining network event data for a plurality of user-server communications for a given user;

determining, using at least one processing device, a number of distinct servers said user communicated with during a predefined time window;

determining, using the at least one processing device, a number of distinct servers said user failed in authenticating to during said predefined time window; and

assigning, using the at least one processing device, a risk score to said user based on said number of distinct servers said user communicated with and said number of distinct servers said user failed in authenticating to during said predefined time window.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus are provided for detecting suspicious network activity, such as in an enterprise network. An exemplary method comprises obtaining network event data for a plurality of user-server communications for a given user, determining a number of distinct servers the user communicated with during a predefined time window; determining a number of distinct servers the user failed in authenticating to during the predefined time window; and assigning a risk score to the user based on the number of distinct servers the user communicated with and the number of distinct servers the user failed in authenticating to during the predefined time window. Generally, the risk score provides a measure of an anomalousness of the user communicating with the number of servers during the predefined time window. An absolute score is optionally assigned based on an evaluation of the number of distinct servers the user communicated with during the predefined time window relative to a predefined threshold number.

10 Citations

View as Search Results

20 Claims

1. A method comprising:
- obtaining network event data for a plurality of user-server communications for a given user;
  
  determining, using at least one processing device, a number of distinct servers said user communicated with during a predefined time window;
  
  determining, using the at least one processing device, a number of distinct servers said user failed in authenticating to during said predefined time window; and
  
  assigning, using the at least one processing device, a risk score to said user based on said number of distinct servers said user communicated with and said number of distinct servers said user failed in authenticating to during said predefined time window.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said risk score provides a measure of an anomalousness of said user communicating with said number of servers during said predefined time window.
  - 3. The method of claim 1, wherein said risk score evaluates (i) said number of distinct servers the user communicated with during said predefined time window, relative to an average number of distinct servers the user communicated with during a predefined training period, and (ii) said number of distinct servers the user failed in authenticating to during said predefined time window, relative to an average number of distinct servers the user failed in authenticating to during said predefined training period.
  - 4. The method of claim 1, wherein said network event data comprises a username, host name, time stamp and outcome of each server login attempt of said user.
  - 5. The method of claim 1, further comprising the step of assigning an absolute score based on an evaluation of said number of distinct servers said user communicated with during said predefined time window relative to a predefined threshold number.
  - 6. The method of claim 5, wherein a final risk score of the user is determined from said risk score and said absolute risk score.
  - 7. The method of claim 1, wherein a final risk score is a maximum of a first risk score based on said number of distinct servers said user communicated with during said predefined time window and a second risk score based on said number of distinct servers said user failed in authenticating to during said predefined time window.

8. A system, comprising:
- a memory; and
  
  at least one processing device, coupled to the memory, operative to implement the following steps;
  
  obtaining network event data for a plurality of user-server communications for a given user,determining a number of distinct servers said user communicated with during a predefined time window;
  
  determining a number of distinct servers said user failed in authenticating to during said predefined time window; and
  
  assigning a risk score to said user based on said number of distinct servers said user communicated with and said number of distinct servers said user failed in authenticating to during said predefined time window.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein said risk score provides a measure of an anomalousness of said user communicating with said number of servers during said predefined time window.
  - 10. The system of claim 8, wherein said risk score evaluates (i) said number of distinct servers the user communicated with during said predefined time window, relative to an average number of distinct servers the user communicated with during a predefined training period, and (ii) said number of distinct servers the user failed in authenticating to during said predefined time window, relative to an average number of distinct servers the user failed in authenticating to during said predefined training period.
  - 11. The system of claim 8, wherein said network event data comprises a username, host name, time stamp and outcome of each server login attempt of said user.
  - 12. The system of claim 8, further comprising the step of assigning an absolute score based on an evaluation of said number of distinct servers said user communicated with during said predefined time window relative to a predefined threshold number.
  - 13. The system of claim 12, wherein a final risk score of the user is determined from said risk score and said absolute risk score.
  - 14. The system of claim 8, wherein a final risk score is a maximum of a first risk score based on said number of distinct servers said user communicated with during said predefined time window and a second risk score based on said number of distinct servers said user failed in authenticating to during said predefined time window.

15. A computer program product, comprising a non-transitory machine-readable storage medium having encoded therein executable code of one or more software programs, wherein the one or more software programs when executed by at least one processing device perform the following steps:
- obtaining network event data for a plurality of user-server communications for a given user;
  
  determining, using at least one processing device, a number of distinct servers said user communicated with during a predefined time window;
  
  determining, using the at least one processing device, a number of distinct servers said user failed in authenticating to during said predefined time window; and
  
  assigning, using the at least one processing device, a risk score to said user based on said number of distinct servers said user communicated with and said number of distinct servers said user failed in authenticating to during said predefined time window.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product of claim 15, wherein said risk score provides a measure of an anomalousness of said user communicating with said number of servers during said predefined time window.
  - 17. The computer program product of claim 15, wherein said risk score evaluates (i) said number of distinct servers the user communicated with during said predefined time window, relative to an average number of distinct servers the user communicated with during a predefined training period, and (ii) said number of distinct servers the user failed in authenticating to during said predefined time window, relative to an average number of distinct servers the user failed in authenticating to during said predefined training period.
  - 18. The computer program product of claim 15, further comprising the step of assigning an absolute score based on an evaluation of said number of distinct servers said user communicated with during said predefined time window relative to a predefined threshold number.
  - 19. The computer program product of claim 18, wherein a final risk score of the user is determined from said risk score and said absolute risk score.
  - 20. The computer program product of claim 15, wherein a final risk score is a maximum of a first risk score based on said number of distinct servers said user communicated with during said predefined time window and a second risk score based on said number of distinct servers said user failed in authenticating to during said predefined time window.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Raviv, Kineret, Fleyder, Uri, Kolman, Eyal, Mann, Ofri
Primary Examiner(s)
Patel, Ashokkumar B
Assistant Examiner(s)
Carey, Forrest L

Application Number

US15/192,360
Time in Patent Office

1,187 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Methods and apparatus for detecting suspicious network activity

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Methods and apparatus for detecting suspicious network activity

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others