Comparison of behavioral populations for security and compliance monitoring

US 10,462,256 B2
Filed: 02/09/2017
Issued: 10/29/2019
Est. Priority Date: 02/10/2016
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a memory or other storage device configured to store for each of a plurality of implementations of a computing resource a corresponding behavioral profile data comprising for each of a plurality of observed behavioral patterns observed to have been exhibited by an implementation a corresponding summary representation of one or more characteristic traits of the behavioral pattern; and

a processor coupled to the memory or other storage device and configured to;

read and use at least portions of said behavioral profile data associated with one or more implementations included in a cohort comprising a sub-population of said plurality of implementations identified by configuration data as being associated with said cohort to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort;

receive a request associated with said sub-population of said plurality of implementations;

select two or more implementations within said sub-population to process the request;

receive from each a response to the request;

compare the responses;

determine, based at least in part on the comparison of the responses, a statistical mode response to be provided in response to the request;

detect that an outlier response not consistent with said statistical mode response was returned by one or more of said two or more implementations; and

take responsive action with respect to said one or more implementations that provided the outlier response.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques to compare behavioral populations for security and compliance monitoring are disclosed. In various embodiments, for each of a plurality of implementations of a computing resource a corresponding behavioral profile data is store, which includes for each of a plurality of observed behavioral patterns observed to have been exhibited by the implementation a corresponding summary representation of one or more characteristic traits of the behavioral pattern. At least portions of said behavioral profile data associated with one or more implementations included in a cohort comprising a sub-population of said plurality of implementations identified by configuration data as being associated with said cohort is used to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort.

42 Citations

View as Search Results

23 Claims

1. A system, comprising:
- a memory or other storage device configured to store for each of a plurality of implementations of a computing resource a corresponding behavioral profile data comprising for each of a plurality of observed behavioral patterns observed to have been exhibited by an implementation a corresponding summary representation of one or more characteristic traits of the behavioral pattern; and
  
  a processor coupled to the memory or other storage device and configured to;
  
  read and use at least portions of said behavioral profile data associated with one or more implementations included in a cohort comprising a sub-population of said plurality of implementations identified by configuration data as being associated with said cohort to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort;
  
  receive a request associated with said sub-population of said plurality of implementations;
  
  select two or more implementations within said sub-population to process the request;
  
  receive from each a response to the request;
  
  compare the responses;
  
  determine, based at least in part on the comparison of the responses, a statistical mode response to be provided in response to the request;
  
  detect that an outlier response not consistent with said statistical mode response was returned by one or more of said two or more implementations; and
  
  take responsive action with respect to said one or more implementations that provided the outlier response.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein the process is further configured to receive observation data associated with observed behavior of implementations included in said plurality of implementations;
    - generate said behavioral profile data based at least in part on said observation data; and
      
      store said behavioral profile data in said memory or other storage device.
  - 3. The system of claim 2, wherein the processor is further configured to update said behavioral profiles based at least in part on observation data received subsequently to one or both of creation and last update of said behavioral profiles.
  - 4. The system of claim 3, wherein the processor is configured to accumulate observation data and to perform said update based at least in part on a determination that an update criteria has been met.
  - 5. The system of claim 1, wherein each of said computing resources comprises one or more of a device, a hardware platform, a virtual machine, a container, an application or other software, a configuration, a protocol, a standards-based resource, a physical or logical storage device, a database, and a service.
  - 6. The system of claim 1, wherein said summary representation comprises a set of coefficients or other values for each of a plurality of variables.
  - 7. The system of claim 1, wherein said summary representation comprises a vector in a multidimensional space.
  - 8. The system of claim 1, wherein said processor is configured to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort at least in part by comparing a behavioral profile of the member implementation, or a portion thereof, to corresponding portions of the respective behavioral profiles of other implementations in the cohort.
  - 9. The system of claim 1, wherein said processor is configured to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort at least in part by computing based on behavioral profile data of the cohort a statistical probability associated with the observed behavior.
  - 10. The system of claim 1, wherein the processor is further configured to take responsive action based on said determination that the observed behavior deviates from an expected behavior of members of the cohort.
  - 11. The system of claim 1, wherein the processor is further configured to act as an intermediary between one or more clients associated with said sub-population of said plurality of implementations, on the one hand, and said sub-population of said plurality of implementations on the other.
  - 12. The system of claim 11, wherein the processor is further configured to block traffic between said clients and said one or more implementations that provided the outlier response based at least in part on detection of said outlier response.
  - 13. The system of claim 11, wherein the processor comprises a sole way to obtain network access to said sub-population of said plurality of implementations.
  - 14. The system of claim 1, wherein the processor is further configured to take responsive action in response to said determination that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort.
  - 15. The system of claim 14, wherein the responsive action includes an action to modify a software-defined infrastructure in an environment with which said member implementation, including by doing one or more of stopping, starting, or reconfiguring involved VMs, containers, network segments, firewalls, and load balancers based on user configuration to do one or more of block, protect, and isolate the member implementation for forensic purposes.

16. A method, comprising:
- storing for each of a plurality of implementations of a computing resource a corresponding behavioral profile data comprising for each of a plurality of observed behavioral patterns observed to have been exhibited by an implementation a corresponding summary representation of one or more characteristic traits of the behavioral pattern;
  
  using at least portions of said behavioral profile data associated with one or more implementations included in a cohort comprising a sub-population of said plurality of implementations identified by configuration data as being associated with said cohort to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort;
  
  receiving a request associated with said sub-population of said plurality of implementations;
  
  selecting two or more implementations within said sub-population to process the request;
  
  receiving from each a response to the request;
  
  comparing the responses;
  
  determining, based at least in part on the comparison of the responses, a statistical mode response to be provided in response to the request;
  
  detecting that an outlier response not consistent with said statistical mode response was returned by one or more of said two or more implementations; and
  
  taking responsive action with respect to said one or more implementations that provided the outlier response.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, further comprising receiving observation data associated with observed behavior of implementations included in said plurality of implementations;
    - and generating said behavioral profile data based at least in part on said observation data.
  - 18. The method of claim 17, further comprising updating said behavioral profiles based at least in part on observation data received subsequently to one or both of creation and last update of said behavioral profiles.
  - 19. The method of claim 18, further comprising accumulating observation data and performing said update based at least in part on a determination that an update criteria has been met.

20. A computer program product embodied in a non-transient computer readable medium and comprising computer instructions for:
- storing for each of a plurality of implementations of a computing resource a corresponding behavioral profile data comprising for each of a plurality of observed behavioral patterns observed to have been exhibited by an implementation a corresponding summary representation of one or more characteristic traits of the behavioral pattern; and
  
  using at least portions of said behavioral profile data associated with one or more implementations included in a cohort comprising a sub-population of said plurality of implementations identified by configuration data as being associated with said cohort to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort;
  
  receiving a request associated with said sub-population of said plurality of implementations;
  
  selecting two or more implementations within said sub-population to process the request;
  
  receiving from each a response to the request;
  
  comparing the responses;
  
  determining, based at least in part on the comparison of the responses, a statistical mode response to be provided in response to the request;
  
  detecting that an outlier response not consistent with said statistical mode response was returned by one or more of said two or more implementations; and
  
  taking responsive action with respect to said one or more implementations that provided the outlier response.
- View Dependent Claims (21, 22, 23)
- - 21. The computer program product of claim 20, further comprising receiving observation data associated with observed behavior of implementations included in said plurality of implementations;
    - generate said behavioral profile data based at least in part on said observation data; and
      
      store said behavioral profile data in said memory or other storage device.
  - 22. The computer program product of claim 21, further comprising updating said behavioral profiles based at least in part on observation data received subsequently to one or both of creation and last update of said behavioral profiles.
  - 23. The computer program product of claim 22, further comprising accumulating observation data and performing said update based at least in part on a determination that an update criteria has been met.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Curtail, Inc.
Original Assignee
Curtail, Inc.
Inventors
Ross, Robert F.
Primary Examiner(s)
Boutah, Alina A

Application Number

US15/429,050
Publication Number

US 20170230477A1
Time in Patent Office

992 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0816   the condition being an adap...

H04L 41/0886   Fully automatic configuration

H04L 41/142   using statistical or mathem...

H04L 41/16   using machine learning or a...

H04L 41/40   using virtualisation of net...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/306   User profiles

H04L 67/535   Tracking the activity of th...

Comparison of behavioral populations for security and compliance monitoring

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Comparison of behavioral populations for security and compliance monitoring

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links