System and method directed to behavioral profiling services
First Claim
Patent Images
1. A security appliance, comprising:
- one or more processors; and
a memory coupled to the one or more processors, the memory includes behavior profiling service logic that, when executed by the one or more processors, (i) creates a behavior profile for a particular entity based on received incoming data, and (ii) determines whether the behavior profile identifies that a malicious attack is being performed by the particular entity based on a comparison of the behavior profile to a reference profile;
wherein the reference profile represents (a) historical behavior of the particular entity that is monitored over a prescribed period of time or (b) behavior of peers of the particular entity that is monitored over the same period of time;
wherein the behavior profiling service logic further includes behavior profile generation logic that, when executed by the one or more processors, generates the behavior profile based, at least in part, on a plurality of attributes, the plurality of attributes including (a) a monitored source of the received incoming data and (b) the particular entity whose activities are being monitored; and
wherein the behavior profile is defined by a plurality of features that are categorized in accordance with a selected feature set being one of a time feature set, a location feature set, and a payload feature set, wherein the location feature set includes a plurality of location-based features that are used to define access behavior by the particular entity, wherein the location-based features includes two or more of;
(1) a frequency distribution of all unique geographic areas;
(2) the geographic distance between two consecutive accessing locations; and
(3) the moving speed between two consecutive accessing locations.
4 Assignments
0 Petitions
Accused Products
Abstract
A security appliance with one or more processors and a memory communicatively coupled to the one or more processors is described. The memory includes behavior profiling service logic that, when executed by the one or more processors, (i) creates a behavior profile for a particular entity based on received incoming data, and (ii) determines whether the behavior profile identifies that a malicious attack is being performed by the particular entity based on a comparison of the behavior profile to a reference profile. The reference profile represents historical behavior of the particular entity that is monitored over a prescribed period of time.
25 Citations
16 Claims
-
1. A security appliance, comprising:
-
one or more processors; and a memory coupled to the one or more processors, the memory includes behavior profiling service logic that, when executed by the one or more processors, (i) creates a behavior profile for a particular entity based on received incoming data, and (ii) determines whether the behavior profile identifies that a malicious attack is being performed by the particular entity based on a comparison of the behavior profile to a reference profile; wherein the reference profile represents (a) historical behavior of the particular entity that is monitored over a prescribed period of time or (b) behavior of peers of the particular entity that is monitored over the same period of time; wherein the behavior profiling service logic further includes behavior profile generation logic that, when executed by the one or more processors, generates the behavior profile based, at least in part, on a plurality of attributes, the plurality of attributes including (a) a monitored source of the received incoming data and (b) the particular entity whose activities are being monitored; and wherein the behavior profile is defined by a plurality of features that are categorized in accordance with a selected feature set being one of a time feature set, a location feature set, and a payload feature set, wherein the location feature set includes a plurality of location-based features that are used to define access behavior by the particular entity, wherein the location-based features includes two or more of;
(1) a frequency distribution of all unique geographic areas;
(2) the geographic distance between two consecutive accessing locations; and
(3) the moving speed between two consecutive accessing locations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computerized method comprising:
-
generating, by an electronic device communicatively coupled to a network, a reference profile that represents either a historical behavior of a profiled entity being monitored over a first prescribed period of time or a current behavior from peers of the profiled entity being monitored over the first period of time; generating, by the electronic device, a behavior profile for a particular entity based on received incoming data, wherein generating the reference profile includes setting a training window corresponding to the first prescribed period of time used in generating the reference profile, wherein the first prescribed period of time is dependent on the particular entity being profiled, and wherein the first prescribed period of time associated with a default training period directed to a user is greater in duration than the default training period directed to a server; and determining whether the behavior profile identifies that a malicious attack is being performed by the particular entity based on a comparison of the behavior profile to the reference profile. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
Specification