Data surveillance system with patterns of centroid drift

US 10,523,698 B2
Filed: 08/08/2018
Issued: 12/31/2019
Est. Priority Date: 12/15/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of surveillance of a plurality of packets of data in a computer network of an organization, said method executing computer program instructions stored in a non-transitory storage medium and comprising the steps of:

(a) analyzing a protocol of said data;

(b) analyzing a user-behavior of a user of said computer network;

(c) analyzing a content of each packet belonging to said plurality of packets of said data by utilizing deep packet inspection (DPI);

(d) establishing a baseline of said data by assigning said each packet to a cluster of said packets amongst a plurality of clusters of said packets of said data;

(e) computing an overall score of said each packet along axes comprising said protocol, said user-behavior and said content;

(f) based on said overall score, computing an absolute distance between said each packet and a center of said cluster of said packets of said data;

(g) scoring said each packet based on its distance from a centroid of said baseline; and

(h) analyzing a drift of said centroid in accordance with the activities of said organization.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data surveillance techniques are presented for the detection of security issues, especially of the kind where privileged data may be stolen by steganographic, data manipulation or any form of exfiltration attempts. Such attempts may be made by rogue users or admins from the inside of a network, or from outside hackers who are able to intrude into the network and impersonate themselves as legitimate users. The system and methods use a triangulation process whereby analytical results pertaining to data protocol, user-behavior and packet content are combined to establish a baseline for the data. Subsequent incoming data is then scored and compared against the baseline to detect any security anomalies. A centroid representing the normal population of the data packets is identified. The movement or drift of the centroid in response to various events is measured and analyzed. This allows the system to evolve its baseline over time thereby preventing issuing false positives for such events.

Citations

20 Claims

1. A computer-implemented method of surveillance of a plurality of packets of data in a computer network of an organization, said method executing computer program instructions stored in a non-transitory storage medium and comprising the steps of:
- (a) analyzing a protocol of said data;
  
  (b) analyzing a user-behavior of a user of said computer network;
  
  (c) analyzing a content of each packet belonging to said plurality of packets of said data by utilizing deep packet inspection (DPI);
  
  (d) establishing a baseline of said data by assigning said each packet to a cluster of said packets amongst a plurality of clusters of said packets of said data;
  
  (e) computing an overall score of said each packet along axes comprising said protocol, said user-behavior and said content;
  
  (f) based on said overall score, computing an absolute distance between said each packet and a center of said cluster of said packets of said data;
  
  (g) scoring said each packet based on its distance from a centroid of said baseline; and
  
  (h) analyzing a drift of said centroid in accordance with the activities of said organization.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 recording a pattern of said drift and correlating said pattern to an activity amongst said activities.
  - 3. The method of claim 1 where said activities include a response of said organization to a technological breakdown.
  - 4. The method of claim 1 where said activities include a response of said organization to a natural disaster.
  - 5. The method of claim 1 applying fuzzy hashing to a payload of said content.
  - 6. The method of claim 5 comparing said payload to a standard of a file that said packet is purported to belong to.
  - 7. The method of claim 1 further utilizing said steps (a) through (h) to detect a data exfiltration attempt.
  - 8. The method of claim 7 where said anomaly is related to a performance issue of said computer network.
  - 9. The method of claim 1 performing said assigning by minimizing an objective function given by a value computed by squaring said absolute distance and summing said value across said plurality of said packets of said data and further summing said value across said plurality of said clusters of said packets of said data.
  - 10. The method of claim 1 further utilizing one or both of supervised machine learning and unsupervised machine learning to detect an anomaly in said data.

11. A system for surveilling a plurality of packets of data in a computer network of an organization, said system including computer-readable instructions stored in a non-transitory storage medium and a microprocessor coupled to said storage medium for executing said computer-readable instructions, said microprocessor configured to:
- (a) analyze a protocol of said data;
  
  (b) analyze a user-behavior of a user of said computer network;
  
  (c) analyze a content of each packet belonging to said plurality of packets of said data by performing deep packet inspection (DPI);
  
  (d) establish a baseline of said data by an assignment of said each packet to a cluster of said packets amongst a plurality of clusters of said packets of said data;
  
  (e) compute an overall score of said each packet along axes comprising said protocol, said user-behavior and said content;
  
  (f) based on said overall score, compute an absolute distance between said each packet and a center of said cluster of said packets of said data;
  
  (g) score said each packet based on its distance from a centroid of said baseline; and
  
  (h) analyze a drift of said centroid in accordance with the activities of said organization.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11 wherein said microprocessor is further configured to perform said assignment by a minimization of an objective function given by a value computed as a square of said absolute distance summed across said plurality of said packets of said data and further summed across said plurality of said clusters of said packets of said data.
  - 13. The system of claim 11 wherein a pattern of said drift is recorded and correlated to an activity amongst said activities.
  - 14. The system of claim 11 wherein said activities include a response of said organization to a technological breakdown.
  - 15. The system of claim 11 wherein said activities include a response of said organization to a natural disaster.
  - 16. The system of claim 11 wherein fuzzy hashing is applied to a payload of said content to obtain its context triggered piecewise hashes (CTPH) hashes.
  - 17. The system of claim 16 wherein said payload is compared to a standard of a file that said packet is purported to belong to.
  - 18. The system of claim 11 wherein an anomaly in said data is detected by utilizing said elements (a) through (h).
  - 19. The system of claim 18, wherein said anomaly is selected from the group consisting of a data exfiltration attack, a data intrusion attack, a data loss attempt, a data leak attempt and a data steganography attack.
  - 20. The system of claim 18 wherein said anomaly is related to a performance issue of said computer network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Flying Cloud Technologies Incorporated
Original Assignee
Flying Cloud Technologies Incorporated
Inventors
Christian, Brian P.
Primary Examiner(s)
Mejia, Anthony

Application Number

US16/058,145
Publication Number

US 20190098033A1
Time in Patent Office

510 Days
Field of Search

709224
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

H04L 63/0245   Filtering by information in...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Data surveillance system with patterns of centroid drift

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Data surveillance system with patterns of centroid drift

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links