Distributed data surveillance in a community capture environment
First Claim
1. A computer-implemented method of surveillance of a first plurality of packets of data in a distributed computer network of an organization, said method executing computer program instructions stored in a non-transitory storage medium and comprising the steps of:
- (a) analyzing a protocol of said data;
(b) analyzing a user-behavior of a user of said distributed computer network;
(c) analyzing a content of each packet belonging to said first plurality of packets of said data by utilizing deep packet inspection (DPI);
(d) establishing a baseline of said data by assigning said each packet to a cluster of said packets amongst a first plurality of clusters of said packets of said data;
(e) computing an overall score of said each packet along axes comprising said protocol, said user-behavior and said content;
(f) based on said overall score, computing an absolute distance between said each packet and a center of said cluster of said packets of said data;
(g) performing said assigning by minimizing an objective function given by a value computed by squaring said absolute distance and summing said value across said first plurality of said packets of said data and further summing said value across said first plurality of said clusters of said packets of said data; and
(h) performing steps (a) through (g) in a master device of said distributed computer network and communicating said baseline to an agent device of said distributed computer network.
1 Assignment
0 Petitions
Accused Products
Abstract
Data surveillance techniques are presented for the detection of security issues, especially of the kind where privileged data may be stolen by steganographic, data manipulation or any form of exfiltration attempts. Such attempts may be made by rogue users or admins from the inside of a network, or from outside hackers who are able to intrude into the network and impersonate themselves as legitimate users. The system and methods use a triangulation process whereby analytical results pertaining to data protocol, user-behavior and packet content are combined to establish a baseline for the data. Subsequent incoming data is then scored and compared against the baseline to detect any security anomalies. The design incorporates deployment in a distributed network so that the devices of the network participate in the detection of anomalies as a community.
34 Citations
21 Claims
-
1. A computer-implemented method of surveillance of a first plurality of packets of data in a distributed computer network of an organization, said method executing computer program instructions stored in a non-transitory storage medium and comprising the steps of:
-
(a) analyzing a protocol of said data; (b) analyzing a user-behavior of a user of said distributed computer network; (c) analyzing a content of each packet belonging to said first plurality of packets of said data by utilizing deep packet inspection (DPI); (d) establishing a baseline of said data by assigning said each packet to a cluster of said packets amongst a first plurality of clusters of said packets of said data; (e) computing an overall score of said each packet along axes comprising said protocol, said user-behavior and said content; (f) based on said overall score, computing an absolute distance between said each packet and a center of said cluster of said packets of said data; (g) performing said assigning by minimizing an objective function given by a value computed by squaring said absolute distance and summing said value across said first plurality of said packets of said data and further summing said value across said first plurality of said clusters of said packets of said data; and (h) performing steps (a) through (g) in a master device of said distributed computer network and communicating said baseline to an agent device of said distributed computer network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for surveilling a plurality of packets of data in a distributed computer network of an organization, said system comprising a first set of computer-readable instructions stored in a first non-transitory storage medium and a first microprocessor coupled to said first storage medium for executing said first set of computer-readable instructions, said first microprocessor configured to:
-
(a) analyze a protocol of said data; (b) analyze a user-behavior of a user of said distributed computer network; (c) analyze a content of each packet belonging to said plurality of packets of said data by performing deep packet inspection (DPI); (d) establish a baseline of said data by an assignment of said each packet to a cluster of said packets amongst a plurality of clusters of said packets of said data; (f) compute an overall score of said each packet along axes comprising said protocol, said user-behavior and said content; (g) based on said overall score, compute an absolute distance between said each packet and a center of said cluster of said packets of said data; and (e) perform said assignment by a minimization of an objective function given by a value computed as a square of said absolute distance summed across said plurality of said packets of said data and further summed across said plurality of said clusters of said packets of said data; wherein said first microprocessor belongs to a master device of said distributed computer network. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
Specification