Comparison of behavioral populations for security and compliance monitoring
First Claim
1. A system, comprising:
- a memory or other storage device configured to store for each of a plurality of implementations of a computing resource a corresponding behavioral profile data comprising for each of a plurality of observed behavioral patterns observed to have been exhibited by an implementation a corresponding summary representation of one or more characteristic traits of the behavioral pattern; and
a processor coupled to the memory or other storage device and configured to;
read and use at least portions of said behavioral profile data associated with one or more implementations included in a cohort comprising a sub-population of said plurality of implementations identified by configuration data as being associated with said cohort to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort;
receive a request associated with said sub-population of said plurality of implementations;
select two or more implementations within said sub-population to process the request;
receive from each a response to the request;
compare the responses;
determine, based at least in part on the comparison of the responses, a statistical mode response to be provided in response to the request;
detect that an outlier response not consistent with said statistical mode response was returned by one or more of said two or more implementations; and
take responsive action with respect to said one or more implementations that provided the outlier response.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques to compare behavioral populations for security and compliance monitoring are disclosed. In various embodiments, for each of a plurality of implementations of a computing resource a corresponding behavioral profile data is store, which includes for each of a plurality of observed behavioral patterns observed to have been exhibited by the implementation a corresponding summary representation of one or more characteristic traits of the behavioral pattern. At least portions of said behavioral profile data associated with one or more implementations included in a cohort comprising a sub-population of said plurality of implementations identified by configuration data as being associated with said cohort is used to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort.
42 Citations
23 Claims
-
1. A system, comprising:
-
a memory or other storage device configured to store for each of a plurality of implementations of a computing resource a corresponding behavioral profile data comprising for each of a plurality of observed behavioral patterns observed to have been exhibited by an implementation a corresponding summary representation of one or more characteristic traits of the behavioral pattern; and a processor coupled to the memory or other storage device and configured to; read and use at least portions of said behavioral profile data associated with one or more implementations included in a cohort comprising a sub-population of said plurality of implementations identified by configuration data as being associated with said cohort to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort; receive a request associated with said sub-population of said plurality of implementations; select two or more implementations within said sub-population to process the request; receive from each a response to the request; compare the responses; determine, based at least in part on the comparison of the responses, a statistical mode response to be provided in response to the request; detect that an outlier response not consistent with said statistical mode response was returned by one or more of said two or more implementations; and take responsive action with respect to said one or more implementations that provided the outlier response. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method, comprising:
-
storing for each of a plurality of implementations of a computing resource a corresponding behavioral profile data comprising for each of a plurality of observed behavioral patterns observed to have been exhibited by an implementation a corresponding summary representation of one or more characteristic traits of the behavioral pattern; using at least portions of said behavioral profile data associated with one or more implementations included in a cohort comprising a sub-population of said plurality of implementations identified by configuration data as being associated with said cohort to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort; receiving a request associated with said sub-population of said plurality of implementations; selecting two or more implementations within said sub-population to process the request; receiving from each a response to the request; comparing the responses; determining, based at least in part on the comparison of the responses, a statistical mode response to be provided in response to the request; detecting that an outlier response not consistent with said statistical mode response was returned by one or more of said two or more implementations; and taking responsive action with respect to said one or more implementations that provided the outlier response. - View Dependent Claims (17, 18, 19)
-
-
20. A computer program product embodied in a non-transient computer readable medium and comprising computer instructions for:
-
storing for each of a plurality of implementations of a computing resource a corresponding behavioral profile data comprising for each of a plurality of observed behavioral patterns observed to have been exhibited by an implementation a corresponding summary representation of one or more characteristic traits of the behavioral pattern; and using at least portions of said behavioral profile data associated with one or more implementations included in a cohort comprising a sub-population of said plurality of implementations identified by configuration data as being associated with said cohort to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort; receiving a request associated with said sub-population of said plurality of implementations; selecting two or more implementations within said sub-population to process the request; receiving from each a response to the request; comparing the responses; determining, based at least in part on the comparison of the responses, a statistical mode response to be provided in response to the request; detecting that an outlier response not consistent with said statistical mode response was returned by one or more of said two or more implementations; and taking responsive action with respect to said one or more implementations that provided the outlier response. - View Dependent Claims (21, 22, 23)
-
Specification