System and method directed to behavioral profiling services

US 10,505,959 B1
Filed: 12/09/2016
Issued: 12/10/2019
Est. Priority Date: 12/10/2015
Status: Active Grant

First Claim

Patent Images

1. A security appliance, comprising:

one or more processors; and

a memory coupled to the one or more processors, the memory includes behavior profiling service logic that, when executed by the one or more processors, (i) creates a behavior profile for a particular entity based on received incoming data, and (ii) determines whether the behavior profile identifies that a malicious attack is being performed by the particular entity based on a comparison of the behavior profile to a reference profile;

wherein the reference profile represents (a) historical behavior of the particular entity that is monitored over a prescribed period of time or (b) behavior of peers of the particular entity that is monitored over the same period of time;

wherein the behavior profiling service logic further includes behavior profile generation logic that, when executed by the one or more processors, generates the behavior profile based, at least in part, on a plurality of attributes, the plurality of attributes including (a) a monitored source of the received incoming data and (b) the particular entity whose activities are being monitored; and

wherein the behavior profile is defined by a plurality of features that are categorized in accordance with a selected feature set being one of a time feature set, a location feature set, and a payload feature set, wherein the location feature set includes a plurality of location-based features that are used to define access behavior by the particular entity, wherein the location-based features includes two or more of;

(1) a frequency distribution of all unique geographic areas;

(2) the geographic distance between two consecutive accessing locations; and

(3) the moving speed between two consecutive accessing locations.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security appliance with one or more processors and a memory communicatively coupled to the one or more processors is described. The memory includes behavior profiling service logic that, when executed by the one or more processors, (i) creates a behavior profile for a particular entity based on received incoming data, and (ii) determines whether the behavior profile identifies that a malicious attack is being performed by the particular entity based on a comparison of the behavior profile to a reference profile. The reference profile represents historical behavior of the particular entity that is monitored over a prescribed period of time.

25 Citations

View as Search Results

16 Claims

1. A security appliance, comprising:
- one or more processors; and
  
  a memory coupled to the one or more processors, the memory includes behavior profiling service logic that, when executed by the one or more processors, (i) creates a behavior profile for a particular entity based on received incoming data, and (ii) determines whether the behavior profile identifies that a malicious attack is being performed by the particular entity based on a comparison of the behavior profile to a reference profile;
  
  wherein the reference profile represents (a) historical behavior of the particular entity that is monitored over a prescribed period of time or (b) behavior of peers of the particular entity that is monitored over the same period of time;
  
  wherein the behavior profiling service logic further includes behavior profile generation logic that, when executed by the one or more processors, generates the behavior profile based, at least in part, on a plurality of attributes, the plurality of attributes including (a) a monitored source of the received incoming data and (b) the particular entity whose activities are being monitored; and
  
  wherein the behavior profile is defined by a plurality of features that are categorized in accordance with a selected feature set being one of a time feature set, a location feature set, and a payload feature set, wherein the location feature set includes a plurality of location-based features that are used to define access behavior by the particular entity, wherein the location-based features includes two or more of;
  
  (1) a frequency distribution of all unique geographic areas;
  
  (2) the geographic distance between two consecutive accessing locations; and
  
  (3) the moving speed between two consecutive accessing locations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The security appliance of claim 1, wherein the behavior profiling service logic is implemented within a data analysis engine and controls monitoring and collection of at least a portion of the incoming data associated with a selected behavior type in order to create one or more behavior profiles.
  - 3. The security appliance of claim 1, wherein the behavior profile defined by the time feature set includes a plurality of time-based features that are used to define access behavior by the particular entity, the plurality of the time-based features includes at least three of (1) a first access time of a day by the particular entity;
    - (2) a last access time of the day by the particular entity;
      
      (3) a total number of access each day by the particular entity;
      
      (4) a total duration of access each day by the particular entity;
      
      (5) average duration of each access by the particular entity;
      
      (6) a standard deviation of duration of all accesses;
      
      (7) a minimum interval time during consecutive accesses;
      
      or (8) a maximum interval time during consecutive accesses.
  - 4. The security appliance of claim 1, wherein the location feature set further includes a plurality of location-based features that are used to define access behavior by the particular entity, the location-based features include two or more of (1) a total number of unique Internet Protocol (IP) addresses;
    - (2) a total number of geographic areas; and
      
      (3) a frequency distribution of all unique IP addresses.
  - 5. The security appliance of claim 1, wherein the behavior profile is defined by a payload feature set including a plurality of payload-based features that may be used to define data transfer behavior, the payload-based features includes one or more of (1) a total size of all uploading sessions or downloading sessions;
    - (2) an average size of each uploading session or downloading session;
      
      (3) a ratio between a number of uploading sessions and a number of downloading sessions, (4) the size distribution of all uploading or downloading sessions.
  - 6. The security appliance of claim 3, wherein the behavior profile generation logic includes a profile timing component that, when executed by the one or more processors, sets a frequency of feature extraction from the plurality of time-based features.
  - 7. The security appliance of claim 1, wherein the behavior profiling service logic includes reference profile generation logic that, when executed by the one or more processors, generates the reference profile during a prescribed training period.
  - 8. The security appliance of claim 7, wherein the training period is based, at least in part, on a type of particular entity in which a default training period directed to a user is greater in duration than a default training period for a server.
  - 9. The security appliance of claim 1, wherein the behavior profiling service logic includes behavior profiling and reporting logic that, when executed by the one or more processors, conducts a comparison between (i) content associated with each of the plurality of features that collectively form the behavior profile, where the content associated with the features may be gathered during a first prescribed period of time, and (ii) content associated with corresponding features of one or more reference profiles produced by the reference profile generation logic.

10. A computerized method comprising:
- generating, by an electronic device communicatively coupled to a network, a reference profile that represents either a historical behavior of a profiled entity being monitored over a first prescribed period of time or a current behavior from peers of the profiled entity being monitored over the first period of time;
  
  generating, by the electronic device, a behavior profile for a particular entity based on received incoming data, wherein generating the reference profile includes setting a training window corresponding to the first prescribed period of time used in generating the reference profile, wherein the first prescribed period of time is dependent on the particular entity being profiled, and wherein the first prescribed period of time associated with a default training period directed to a user is greater in duration than the default training period directed to a server; and
  
  determining whether the behavior profile identifies that a malicious attack is being performed by the particular entity based on a comparison of the behavior profile to the reference profile.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The computerized method of claim 10, wherein the determining whether the behavior profile identifies that the malicious attack is being performed by the particular entity is conducted by the electronic device.
  - 12. The computerized method of claim 10, wherein the generating of the behavior profile comprises generates the behavior profile based, at least in part, on a plurality of attributes, the plurality of attributes include (a) a monitored source of the received incoming data and (b) the particular entity whose activities are being monitored.
  - 13. The computerized method of claim 10, wherein the behavior profile is defined by a plurality of time-based features that are used to define access behavior by the particular entity, the plurality of time-based features includes (1) a first access time of a day by the particular entity;
    - (2) a last access time of the day by the particular entity; and
      
      (3) a total number of access each day by the particular entity.
  - 14. The computerized method of claim 13, wherein the plurality of time-based features further include (4) a total duration of access each day by the particular entity;
    - and (5) average duration of each access by the particular entity.
  - 15. The computerized method of claim 10, wherein the behavior profile is defined by a plurality of location-based features that are used to define access behavior by the particular entity, the location-based features include a total number of unique Internet Protocol (IP) addresses;
    - and a total number of geographic areas associated with the unique IP addresses.
  - 16. The computerized method of claim 10, wherein the behavior profile is defined by a plurality of payload-based features that may be used to define data transfer behavior, the payload-based features includes (1) a total size of a plurality of uploading sessions or downloading sessions, and (2) an average size of each uploading session or downloading session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Wang, Jisheng, Shashanka, Madhusudana, Yang, Chao, Shen, Min-Yi
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Wyszynski, Aubrey H

Application Number

US15/374,496
Time in Patent Office

1,096 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/554   involving event detection a...

G06N 20/00   Machine learning

G06N 5/04   Inference or reasoning models

H04L 63/1425   Traffic logging, e.g. anoma...

System and method directed to behavioral profiling services

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

System and method directed to behavioral profiling services

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others